VacantServer WordPress sites are getting hammered with bad logins and probes.
We’ve implemented a plugin to log failed login attempts to syslog, and a Fail2Ban filter for the same. If you run these on RedHat, you’ll need some additional configuration info… here it is:
^%(__prefix_line)sAuthentication failure for .* from <HOST>$
Apache nohome regex (error_log):
[[]client <HOST>[]] File does not exist: .*/~.*
PHP noscript regex (/home/*/logs/error_log,/var/log/httpd/error_log):
[[]client <HOST>[]] (File does not exist|script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl) [[]client <HOST>[]] script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat *$
XMLRPC flood attacks — DDoS and probing (/home/*/logs/access_log):
<HOST>\s.*\s.POST\s/xmlrpc.php*.\s.*
Please also enable the generic apache-nohome, apache-noscript. Install wp fail2ban plugin (and configure it for your server) on your high traffic blogs. These all are helping during the current onslaught, which also includes probing for wp-admin directories, probing for /wp-admin/login.php, plus comment spam.
A new XMLRPC exploit has the script kiddies doing DDoS and probing for vulnerable services, and possibly doing remote code execution on vulnerable services.
Here are some additional resources:
- RegEx testing tool: RegExr (AIR and web versions)
- use Fail2Ban’s built-in regex testing
- additionally, try 23x’s Apache WordPress Fail2Ban advice
- block spammer IP’s via Akismet: Spam-Log Plugin
No comments yet.