xmlrpc fail2ban block

First, I needed to create a filter, telling fail2ban what kinds of requests I wanted to block. On my system I created a file at /etc/fail2ban/filter.d/apache-xmlrpc.conf. The file is fairly simple: 
failregex = ^<HOST> .*POST .*xmlrpc.php.*
ignoreregex =
This tells fail2ban how to parse the log files to find requests for xmlrpc.php, and where to find the IP address. You might need to adjust the regex if your log files are formatted differently.
Now that we’ve created the filter, we tell fail2ban to use it. We open /etc/fail2ban/jail.conf and add this rule:


As for me, I wanted fail2ban to integrate for an hour, and ban offenders for 24 hours. (This may likely get tweaked in the future depending on how it performs.) On my Ubuntu test environment, jail.local got:

enabled = true
port = http,https
filter = apache-xmlrpc
logpath = /var/log/auth.log
findtime = 3600
bantime = 86400

While in contrast, on CentOS production, jail.local got:

enabled = true
filter = apache-xmlrpc
logpath = /var/log/secure
findtime = 3600
bantime = 86400
action = iptables-multiport[name=wordpress,port="80,443"]
Adjust the logpath parameter to point to your Apache access logs, and adjust maxretry to taste.
Restart fail2ban:
sudo service fail2ban restart
And you should soon find Apache handling far fewer requests. An added benefit to using fail2ban: legitimate requests to xmlrpc.php (e.g., trackbacks) should still get through.
The xmlrpc.php file block can also be set up globally, for all sites:

vim /etc/httpd/conf.d/blockxmlrpc.conf
OR, for Ubuntu:
vim /etc/apache2/conf-available/blockxmlrpc.conf (then: a2enconf blockxmlrpc.conf)

<Files xmlrpc.php>
Order Allow,Deny
Deny from All

jim has written 83 articles

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>