Transition Technology: Ticket #851: Bot attacks on Transition Culture http://localhost:8080/trac/ticket/851 <p> Yesterday there was a load spike on <a class="wiki" href="http://localhost:8080/trac/wiki/ParrotServer">ParrotServer</a> caused by a bot doing thousands of POSTs to <tt>xmlrpc.php</tt>. </p> en-us Transition Technology /trac/chrome/site/TransitionNetwork-Logo-Web-Small.jpg http://localhost:8080/trac/ticket/851 Trac 0.12.5 chris Sun, 10 May 2015 11:26:01 GMT hours, totalhours changed http://localhost:8080/trac/ticket/851#comment:1 http://localhost:8080/trac/ticket/851#comment:1 <ul> <li><strong>hours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> <li><strong>totalhours</strong> changed from <em>0.0</em> to <em>0.25</em> </li> </ul> <p> I have added this to the main <tt>.htaccess</tt> file for <a class="ext-link" href="http://transitionculture.org/"><span class="icon">​</span>http://transitionculture.org/</a> </p> <pre class="wiki"># This was being abused &lt;Files xmlrpc.php&gt; Order deny,allow deny from all &lt;/Files&gt; </pre><p> I also used IP tables to block the IP address doing this yesterday -- it did 45,856 POSTs, pretending to be Google, in one day: </p> <pre class="wiki">185.62.188.91 - - [09/May/2015:14:08:26 +0100] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)" 548 595 </pre><p> We should also consider installing <a class="ext-link" href="https://wordpress.org/plugins/wp-fail2ban/"><span class="icon">​</span>WP fail2ban</a> -- the site sees a lot of attempts to brute force it, for example there are between 500 and 1.5k attempts a day on Transition Culture, 62.5k in the last month: </p> <pre class="wiki">grep wp-login.php access.log-20150510 | wc -l 573 zgrep wp-login.php access.log-20150509.gz | wc -l 454 zgrep wp-login.php access.log-20150508.gz | wc -l 567 zgrep wp-login.php access.log-20150507.gz | wc -l 1581 zgrep wp-login.php access.log-20150506.gz | wc -l 953 zgrep wp-login.php access.log-20150505.gz | wc -l 1525 zgrep wp-login.php access.log-20150504.gz | wc -l 1250 zgrep wp-login.php access.log-20150503.gz | wc -l 496 </pre><p> For the server as a whole, 1/3 million brute force attempts in the last month: </p> <pre class="wiki">zgrep wp-login.php */logs/access*.gz | wc -l 335599 </pre> Ticket