[CentOS] slammed

Thu Oct 2 16:44:22 UTC 2014
Paul Heinlein <heinlein at madboa.com>

On Thu, 2 Oct 2014, jwyeth.arch at gmail.com wrote:

> Disabling XMLRPC completely via wp-config.php is quite easy.. I can 
> send required info when I'm in front of a computer. You can also use 
> an .htaccess rule for Apache to stop requests completely. I'm sure 
> there's also rules for Nginx, lighttpd, etc that can be found quite 
> easily via Google. Surprised most people don't have this 
> disabled/blocked already.

Another good trick to keep IP-based scanners off your back is to make 
sure that all HTTP requests have a valid Host: header. In Apache, it's 
easy. The first-listed <VirtualHost> declaration is the default if a 
client fails to provide a Host: header in the request. So the initial 
Virtual host is basically a deny-all container, e.g.,

<VirtualHost *:80>
   ServerSignature off
   <Location />
     <RequireAny>
       Require local
       Require ip [some administrative IP addr]
     </RequireAny>
   </Location>
</VirtualHost>

<VirtualHost *:80>
   ServerName www.you.com
   # the real work happens here ...
</VirtualHost>


For extra credit, you can write a fail2ban filter that scans the 
default ErrorLog for telltale signs of IP-based scanning (watch out 
for unintended line-wrapping in the example below).

# /etc/fail2ban/filter/apache-iponly.conf
[DEFAULT]

_apache_error_msg = \[[^]]*\] \[\S*:error\] \[pid \d+\] \[client <HOST>(:\d{1,5})?\]

[Definition]

failregex = ^%(_apache_error_msg)s (AH0\d+: )?client denied by server configuration: (uri )?.*$
             ^%(_apache_error_msg)s script '\S+' not found or unable to stat(, referer: \S+)?\s*$

-- 
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W