Ticket #851 (new maintenance)

Opened 19 months ago

Last modified 19 months ago

Bot attacks on Transition Culture

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Parrot server Keywords:
Cc: ade, sam, annesley, paul Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.25

Description

Yesterday there was a load spike on ParrotServer caused by a bot doing thousands of POSTs to xmlrpc.php.

Change History

comment:1 Changed 19 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.25
  • Total Hours changed from 0.0 to 0.25

I have added this to the main .htaccess file for http://transitionculture.org/ 

# This was being abused
<Files xmlrpc.php>
   Order deny,allow
   deny from all 
</Files>

I also used IP tables to block the IP address doing this yesterday -- it did 45,856 POSTs, pretending to be Google, in one day:

185.62.188.91 - - [09/May/2015:14:08:26 +0100] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;  http://www.google.com/bot.html)" 548 595

We should also consider installing WP fail2ban -- the site sees a lot of attempts to brute force it, for example there are between 500 and 1.5k attempts a day on Transition Culture, 62.5k in the last month:

grep wp-login.php access.log-20150510 | wc -l
573
zgrep wp-login.php access.log-20150509.gz | wc -l
454
zgrep wp-login.php access.log-20150508.gz | wc -l
567
zgrep wp-login.php access.log-20150507.gz | wc -l
1581
zgrep wp-login.php access.log-20150506.gz | wc -l
953
zgrep wp-login.php access.log-20150505.gz | wc -l
1525
zgrep wp-login.php access.log-20150504.gz | wc -l
1250
zgrep wp-login.php access.log-20150503.gz | wc -l
496

For the server as a whole, 1/3 million brute force attempts in the last month:

zgrep wp-login.php */logs/access*.gz | wc -l
335599
Note: See TracTickets for help on using tickets.