Dear all, I have a Cpanel with Apache webserver running and I have seen many xmlrpc accesses from fake Google bots. In my pursue of blocking those connections I enable the following rules in my csf (iptables based firewall): iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP iptables -I INPUT -p tcp --dport 82 -m state --state NEW -m recent --name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP iptables -I INPUT -p tcp --dport 82 -m state --state NEW -m recent --name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP In port 80 I have varnish and in port 82, my apache web server. Now cpanel still reports a high cpu usage but no information (ips or requests). Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request 0-61 5251 0/929/5793 _ 4698.00 102 461 0.0 16.11 117.25 x.x.x.x 0-61 5251 0/922/5832 _ 4696.41 110 398 0.0 18.92 83.23 x.x.x.x 0-61 5251 0/946/5907 _ 4699.11 4 919 0.0 23.19 111.11 x.x.x.x 0-61 5251 0/922/5843 _ 4691.70 114 2882 0.0 16.46 98.01 x.x.x.x I suspect that the previous connections trying to explote xmlrpc.php are now just being logged and shown as "Waiting for connection". Maybe the iptables rule should be different? Thanks Miguel --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|