Ok thanks for your time. I have been mucking around with this for about a day and have come to the conclusion I must be stupid.
Issue at hand
We do from time to time have some people with to much time on their hand hammer away at xmlrpc.php (wordpress function). Example of logs below
172.173.116.234 - - [17/Aug/2023:16:38:20 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:21 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:23 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:25 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:27 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:28 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:30 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:32 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:34 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:35 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:37 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:39 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:41 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:43 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:44 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:46 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:48 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:50 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:51 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
172.173.116.234 - - [17/Aug/2023:16:38:53 +1000] “POST //xmlrpc.php HTTP/1.1” 200 5942 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36”
So I thought about banning them with fail2ban, sounded simple. I have tried a few examples I found on the interwebs but none seem to be working.
My regex currently looks like this
[Definition]
failregex = ^ .*POST .xmlrpc.php.
ignoreregex =
Obviously I’m missing something because its not matching. So if someone out there knows what my issue is I’m all ears.
Thanks
Michael