> Date: Friday, May 20, 2016 16:09:58 -0700 > From: Kurtis Rader <krader@xxxxxxxxxxxxx> > > On Fri, May 20, 2016 at 4:00 PM, Roman Gelfand > <rgelfand2@xxxxxxxxx> wrote: > >> In the last 2 days we have received roughly 1milion of the >> following requests. Just to confirm, is this a DOS attack? >> >> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php >> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows >> NT 6.0)" >> > > Probably just broken malware trying to guess WordPress account > credentials. It's probably been handed just your host name or IP > address and, not having any other victims to target, keeps > repeatedly hitting your site. I occasionally see this type of > behavior. I have my firewall configured to blackhole the source > when there are an unreasonable number of POST requests in a short > interval. > > >> Also, what does this mean? >> >> ::1 - - [20/May/2016:18:26:09 -0400] "OPTIONS * HTTP/1.0" 200 - "-" >> "Apache/2.4.6 (Red Hat Enterprise Linux) PHP/5.4.16 (internal dummy >> connection)" >> > > It's checking whether your web server allows the OPTIONS command > which might allow other forms of attacks to succeed. I strongly > recommend disallowing that HTTP command. Easiest way is via > mod_allowmethods: > https://httpd.apache.org/docs/2.4/mod/mod_allowmethods.html This: > ::1 - - [20/May/2016:18:26:09 -0400] ... is coming from your localhost-ipv6 -- i.e., these are being generated by something on the server itself. In the case of the connections from "191.96.249.52" ... I would just firewall off that ip (and associated range as necessary) with iptables. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|