User Tools

Site Tools

Trace: fail2ban-xmlrpc
fail2ban-xmlrpc

This is an old revision of the document!

The following guide will show how to use fail2ban to block xmlrpc attacks.

We now need to set up rules/regex that the jail will follow, this will look for log file entries depending on what we specify:
Create a file called: /etc/fail2ban/filter.d/xmlrpc.conf 

[INCLUDES]

before = common.conf

[Definition]

failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
The regex above will look for POST requests to the xmlrpc file.
Now add the following configuration to your /etc/fail2ban/jail.conf file 
[xmlrpc]
enabled  = true
port     = http,https
filter   = xmlrpc # name of the filter found in /etc/fail2ban/filter.d/
banaction = iptables-allports # block the ip address on all ports
logpath  =  %(nginx_access_log)s # what logs files should it read to find xmlrpc? You can specify a more accurate file if you only have 1 site that has this. 
maxretry = 5 # 5 instances matching the regex can be found before banning
findtime = 3600 # POST request found during a specific time period
bantime  = 7200 # how long IP will be banned for

fail2ban-xmlrpc.1473001675.txt.gz · Last modified: 2024/05/23 07:26 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki