fbpx
aerial view of a beautiful island resort
Posted on by Fernando

Block xmlrpc.php on Apache for all Domains on Ubuntu

I was having a very high CPU consumption on my Ubuntu server, and most of my Apache websites were down.

I just went to check the Apache logs on /var/log/apache2 and I saw that there was someone doing an xmlrpc attack on my WordPress sites.

54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:19 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:18 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:27:27 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:27:54 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:28:00 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
54.38.157.178 - - [01/Oct/2018:11:27:30 +0200] "POST /xmlrpc.php HTTP/1.0" 500 556 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

The fastest way to stop it would be to just block that file on the Apache server.

Edit this file /etc/apache2/apache2.conf

And add these lines wherever you find suitable

<files xmlrpc.php>
order allow,deny
deny from all
</files>

Then reload apache2 config files with:

service apache2 reload

Then all the problems fixed, I mean the high CPU consumption, but you won’t be able to use Jetpack to update your plugins.

Just remove the 4 lines above from apache2.conf and reload the apache server to be able to use Jetpack again to update plugins.

An alternative way would be to block the attacking IP with ufw for example or even better to configure fail2ban with ufw.

Related posts:

  1. Ubuntu Apache Tuning
  2. Check All Apache Virtual Host Logs on Ubuntu

Leave a Reply

Your email address will not be published. Required fields are marked *