Custom Fail2Ban jain for xmlrpc.php

Hi guys,

I am having trouble with a lot of spam requests to specific Wordpress file and i want to configure Fail2Ban to ban those IPs permanently.
File is: /xmlrpc.php

I am using FirewallID.

What i am doing wrong in this configuration?

SYSTEM INFORMATION
OS type and version Debian Linux 12
Virtualmin version 7.20.2 Pro

Is the apache-common filter actually matching the lines in the log file ? I would suggest making a custom filter so fail2ban can match the correct line in the log file

Please can you show me how?

You need to look at the filter and work out what the regex is looking for or you could post a single log line you are trying to match and perhaps someone will be able to write the regex for you, so you can create a filter

I create Log filter with different combinations like this
<HOST>.*"POST \/xmlrpc\.php.*" 200.*$
<HOST>.*"POST \/xmlrpc\.php.*" \d{3}.*$
<HOST>.*"POST \/xmlrpc\.php.*" \b\d{3}\b.*$
<HOST>.*"(GET|POST|HEAD) \/xmlrpc\.php.*" 200.*$

no one works, but i am testing it on regex101 it looks okay.

here is the Jail now

here is example line from log
185.184.155.49 - - [18/Sep/2024:16:59:45 +0200] "POST /xmlrpc.php HTTP/1.1" 200 3735 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"

what i am missing?

What regex are you applying to that line ?

i tried each one of this and more combinations but no one works

That looks wrong … tomorrow I’ll work out the correct regex and post it when it works

1 Like

Or you can use the wordfence plugin. This can block all calls to this file.

@jimr1 did ilia not post the code for this when helping another user?

I have no idea, as I don’t use wordpress I tend to skip most wordpress issues as I don’t have the experience with that product and it really has nothing to do with virtualmin however the op asked about fail2ban which I do have some experience with

Some example fail2ban code (including xmlrpc)

Some more code

3 Likes

LOL my CPU (AMD EPYC-Milan, 4 cores) was all the time at 80-90% usage, now drops to 0-15% usage.

Just when creating new Jail in Check for log file updates using select Decide automatically

edit:
does the Log file path accept wildcards?

Yes it does.

^<HOST>.*-.*"(GET|POST|HEAD).*xmlrpc.*
^<HOST>.*-.*"(GET|POST|HEAD).*wp-login.php

I use this and the carot up front is important. You can test your filter in terminal to see if it is selecting records or not. This will tell you if your code is working.

fail2ban-regex <logfile> <regex or filter conf file>

You can read more about this on a great site:
https://www.the-art-of-web.com/system/fail2ban-howto/

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.