On Thu, 2 Oct 2014, jwyeth.arch@gmail.com wrote:
Disabling XMLRPC completely via wp-config.php is quite easy.. I can send required info when I'm in front of a computer. You can also use an .htaccess rule for Apache to stop requests completely. I'm sure there's also rules for Nginx, lighttpd, etc that can be found quite easily via Google. Surprised most people don't have this disabled/blocked already.
Another good trick to keep IP-based scanners off your back is to make sure that all HTTP requests have a valid Host: header. In Apache, it's easy. The first-listed <VirtualHost> declaration is the default if a client fails to provide a Host: header in the request. So the initial Virtual host is basically a deny-all container, e.g.,
<VirtualHost *:80> ServerSignature off <Location /> <RequireAny> Require local Require ip [some administrative IP addr] </RequireAny> </Location> </VirtualHost>
<VirtualHost *:80> ServerName www.you.com # the real work happens here ... </VirtualHost>
For extra credit, you can write a fail2ban filter that scans the default ErrorLog for telltale signs of IP-based scanning (watch out for unintended line-wrapping in the example below).
# /etc/fail2ban/filter/apache-iponly.conf [DEFAULT]
_apache_error_msg = [[^]]*] [\S*:error] [pid \d+] [client <HOST>(:\d{1,5})?]
[Definition]
failregex = ^%(_apache_error_msg)s (AH0\d+: )?client denied by server configuration: (uri )?.*$ ^%(_apache_error_msg)s script '\S+' not found or unable to stat(, referer: \S+)?\s*$