On Thu, Oct 2, 2014, at 09:29, Mike Burger wrote: > On 2014-10-02 10:23 am, Jerry Geis wrote: > > I just got SLAMMED with accessed to httpd from > > 91.230.121.156 > > > > I added the address to my firewall to drop it. > > FYI > > > > host 91.230.121.156 > > 156.121.230.91.in-addr.arpa domain name pointer > > no-rdns.offshorededicated.net. > > Are you running Wordpress? > > My company's Wordpress installation was getting hammered by an IP in the > same netblock, yesterday...look in your httpd logs for repeated POST > operations to xmlrpc.php. > Most people don't even need xmlrpc.php to be open to the world, so I prefer to block all requests to it. I also have successfully used ngrep to capture POSTs on a server hosting many Wordpress sites and log them to a file that is watched by fail2ban. After x many POSTs automatically ban the IP, for example. The reason I did not just monitor the Apache log files for POSTs is that there were so many sites with their own log files . I had to aggregate all the POSTs to a single log file so when the botnet hit multiple Wordpress sites it could be more easily identified. Occasionally they'll only do a couple POSTs from each IP/bot in the group and so it would evade detection unless you aggregated it all into one log file.