Admin a WordPress site running on Debian Linux? Learn how to protect it from DoS, xmlrpc attacks and similar…

August 8th, 2015 No comments

So, you are sysadmin of a Linux server that runs one or more WordPress sites. Everything “just works”… but now and again you notice a massive slowdown in site performance. You may even get an alert or three from your site monitoring system. Normally at anti-social times of the day :(

After looking into the Apache access logs for the WordPress site vhost you discover that large number of requests are seen from the same IP to a bunch of pages on your site.

Here are some examples from my own logs:

[malicious ip] - [02/Jul/2015:21:24:28 +0100] "GET /wp-login.php HTTP/1.1" 404 504 "-" "Mozilla/5.0 (Windows NT 6.1
; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"
[malicious ip] - - [02/Jul/2015:21:24:28 +0100] "GET /administrator/ HTTP/1.1" 404 502 "-" "Mozilla/5.0 (Windows NT 6
.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"
[malicious ip] - - [02/Jul/2015:21:24:31 +0100] "GET /admin.php HTTP/1.1" 404 500 "-" "Mozilla/5.0 (Windows NT 6.1; W
OW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"

[malicious ip] - - [02/Jul/2015:21:25:14 +0100] "POST /blog/xmlrpc.php HTTP/1.0" 500 607 "-" "Mozilla/4.0 (compatible
: MSIE 7.0; Windows NT 6.0)"
[malicious ip] - - [02/Jul/2015:21:26:44 +0100] "POST /blog/xmlrpc.php HTTP/1.0" 500 607 "-" "Mozilla/4.0 (compatible
: MSIE 7.0; Windows NT 6.0)"

What you are seeing is malicious network traffic – designed to find vulnerabilities in your WordPress site software or to make it unavailable to genuine site visitors.

While you can keep your WordPress updated to help defend against these attacks (and indeed it’s as easy as clicking a button these days), this will not help keeping your site available.

Defending your WordPress site from a large quantity of malicious network requests cannot be done using just WordPress alone.

In this blog post, I’m going to share what I did to defend my own WordPess sites against such attacks.

I use Debian Linux but these instructions are also applicable to other distros with slight changes to package names, paths etc.

We’re going to install two packages:

  • fail2ban – this will handle the network level blocking of malicious traffic by manipulating iptables
  • mod_evasive – this is an Apache module that detects suspicious site activity, blacklists IPs to prevent access and logs those IPs

What we’re going to do is wire these two up to get “the best of both worlds“. In essence we’re going to detect malicious users, block them once they start misbehaving and ensure they never bother you again.

So lets start by installing both packages:

aptitude install fail2ban mod_evasive

fail2ban has a concept of “jails” – any malicious IPs detected by mod_evasive get “jailed”.

Lets create a couple of jails: one for the XMLRPC attacks and another for anything mod_evasive regards as suspicious:

In /etc/fail2ban/jail.conf

enabled = true
port = http,https
filter = apache-mod-evasive
logpath = /var/log/daemon.log
maxretry = 1
bantime = 3600

# keep the jail name short 29 chars or iptables will not be able to create the chain
enabled = true
port = http,https
filter = wp-xmlrpc
logpath = /var/log/apache2/
maxretry = 1
bantime = 86400

Note the name limit for the jail!

Next we create filter files for both these jails so we can extract the malicious IPs (you can adapt these to other services and logfiles once you get the general idea)


# Fail2Ban configuration file


# Option: failregex
# Notes.: regex to match the Forbidden log entrys in apache error.log
# maybe (but not only) provided by mod_evasive
# Values: TEXT
#failregex = ^\^\*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s
failregex = .*POST /blog/xmlrpc.php

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

…and in /etc/fail2ban/filter.d/apache-mod-evasive.conf

# Fail2Ban configuration file


# Option: failregex
# Notes.: regex to match the Forbidden log entrys in apache error.log
# maybe (but not only) provided by mod_evasive
# Values: TEXT
#failregex = ^\^\*\]\s+\[error\]\s+\[client \] client denied by server configuration:\s
failregex = mod_evasive\[\d+\]:\s+Blacklisting address :

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex =

For mod_evasive the config files vary depending on your Debian version…

Debian Wheezy: /etc/apache2/conf.d/mod-evasive
Debian Jessie: /etc/apache2/conf-available/mod-evasive.conf

# docs in /usr/share/doc/libapache2-mod-evasive/README.gz
DOSPageCount 10
DOSSiteCount 10
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60

# this works but i dont really need to know all the time
#DOSEmailNotify root@localhost

# XXX make sure this dir exists beforehand!
DOSLogDir "/var/log/mod_evasive"


# server external IP - just in case
DOSWhitelist [server external ip]

Please heed some of the comments above!

Note that the full docs for mod_evasive (and a config test program) can be found in /usr/share/doc/libapache2-mod-evasive/README.gz

You can add multiple DOSWhitelist lines – it would sensible to add the IP that you connect from the most – or add a “safe” unchanging once such as your employers IP.

I suggest playing about with the first bunch of settings (DOSPageCount, DOSSiteCount, DOSPageInterval, DOSSiteInterval) as you can easily get false-positives when trying this out – you could block legitimate traffic if you are not careful!

Ensure you restart the respective services once finished with configuration. Observe the log files to ensure operation is correct.

mod_evasive will log to /var/log/daemon.log like this:

Jul 2 11:19:44 defiant mod_evasive[8949]: Blacklisting address [blacklisted ip 1]: possible DoS attack.
Jul 2 11:26:24 defiant mod_evasive[9033]: Blacklisting address [blacklisted ip 2]: possible DoS attack.

fail2ban will log to /var/log/fail2ban.log like so

2015-07-08 18:44:06,516 fail2ban.actions: WARNING [wp-xmlrpc] Ban [malicious ip 1]
2015-07-08 18:44:06,536 fail2ban.actions: WARNING [wp-xmlrpc] Ban [malicious ip 2]

You can also examine the fail2ban jail like so:

# fail2ban-client status wp-xmlrpc
Status for the jail: wp-xmlrpc
|- filter
| |- File list: /var/log/apache2/
| |- Currently failed: 0
| `- Total failed: 2
`- action
|- Currently banned: 2
| `- IP list: [malicious ip 1] [malicious ip 2]
`- Total banned: 2

You can also see the corresponding iptables chain:

# iptables --list --line-number
1 fail2ban-wp-xmlrpc tcp -- anywhere anywhere multiport dports http,https
Chain fail2ban-wp-xmlrpc (1 references)
num target prot opt source destination
1 DROP all -- [malicious ip 1] anywhere
2 DROP all -- [malicious ip 2] anywhere
3 RETURN all -- anywhere anywhere

And that should do it!

You may need to tweak the settings occaisonally. Just keep an eye on it. Log-in now and again for the next week or so after configuration and check these logs to see if things are running smoothly:

# multitail /var/log/apache2/ /var/log/fail2ban.log /var/log/daemon.log

If something does slip through the net you can manually ban/unban using something like:

# fail2ban-client set wp-xmlrpc banip [malicious ip]

Hope that helps! Let me know if it works/does not work by leaving a comment.

Categories: Technical Tags: , , ,

Why is Ronald D. Moore’s Battlestar Galactica one of the best TV shows ever?

January 19th, 2014 No comments

Here are two reasons (there are many more):


and this

Categories: Non-technical Tags: , ,

Be Broadband Firmware upgrade for users with a static IP and non-default config

March 3rd, 2013 No comments

This weekend I attempted the Be Broadband mandatory router firmware upgrade (which appears to be linked to Be’s sale to Sky :-().

I thought I’d relate my experience of that here so that folks have “all the information in one place”. The process was pretty much smooth but those of us geeky enough to have a static IP, custom DHCP range, port-forwards and other config changes might (will?) run into minor niggles.

First thing to note is that Be Broadband have actually organized things nicely and you should have an email or two with your static IP, links to firmware and an installation guide. However read on to see my approach…

Now I love bullet points and my process with be in that format with a few asides here and there.

Here we go:

  • Essentially I followed this:

And that boiled down to:

  • boot into Debian Linux laptop and attach wired connection to router
  • backup user config to file (important! needed for diff later)
  • download new firmware

It was at this point that I realized that the firmware upgrade required running an .exe on Windows. I somehow expected to be able to upload the firmware to the router via the web GUI :-( So…

  • download flasher from this guide:

It’s written for Windows BUT there is actually upgrade instructions on how you can use Linux instead:

Be warned that it involves setting up local TFTP and BootP servers. I’m secure enough in my geekyness to have done that (I have done so in the past to setup Cisco VOIP phones) but in the real-world of lack-of-time and family commitments I just dual-booted into Windows (also my notes for all this were synced in Dropbox – nice).

  • boot into Windows

Ensure flasher and firmware is downloaded (again!)

Now just in case, have both these open in browser tabs (and/or save web page locally) in case of net outage:

Note the “bethere” link above has some nice friendly screenshots.

  • extract flasher software
  • ensure thompson router connected via wired NOT wireless
  • extract bin file from firmware archive

Note that the flasher software will look in “TGUPGv7201/Builds” by default but you can point it to where ever you downloaded it to.

  • proceed with flash

screenshots from that process:

Thomson Home Install Wizard_2013-03-02_13-05-58

Thomson Home Install Wizard_2013-03-02_13-06-23

After flash router will be on and the user/pass will be “Administrator/<router serial>”

In my case some of the config could not be restored for some reason…
(eg. it worked but gave a non-fatal error about not being able to restore some of the config.)

Thomson Home Install Wizard_2013-03-02_13-10-36

Note that I didn’t have to provide the new static IP anywhere, the router assumed it after the upgrade and the ATM connection completed.

I now had a situation with working internet but the router was running with default settings. The router may need a reboot just to make sure everything is OK (I didn’t need to but did it as a basic check).

  • diff the configs and reconfigure router

Now this was the time consuming part and I had forgotten at how “rudimentary” the GUI is compared to something like SmoothWall Express or pfSense.

Anyway, I wanted to reconfigure the router as I has diverged from the default in a few ways.

My approach to this was to download the new config and rename it, examine the diffs:

$ diff -u <original config>.ini <new config>.ini

There’s quite a few changes in the new config, looks like they have simplified some settings and are using aliases for services and such.

From memory this was the stuff I re-configured:

– turn off UPNP
– add debian uk ntp pool
– wi-fi setup: restore ssid, g-only, reset wi-fi passphrase (but best to disable wi-fi here, reenable later in last step)
– change LAN IP and DHCP pool
(do this by `Home Network > Interfaces > LocalNetwork > Configure`)
– set <my personal DHCP range>.1 as LAN interface IP
– (At this point I turned off wi-fi as family was complaining about internet going up/down!)
– set laptop wired nic as <DHCP address>.100 manually
– The default DHCP 1.0/24 range still in dhcp pool, reboot router to ensure no devices have a 0.1/24 dhcp range address
– when router back, you will be able to delete the 0.1/24 pool (named “LAN_private”)

create new firewall ruleset based on “standard” ruleset.

– add port forward(s) from outside

This is best done by first setting a name to the server via the “home network”
do this via `Home > Toolbox > Game & Application Sharing`
click `Create a new game or application` and add application `ssh-custom` or whatever.
then go to `Home > Toolbox > Game & Application Sharing` and assign to server name.

  • change external DNS provider as static IP has changed
  • change any intrusion prevention rules and whitelists given new static IP
  • Now turn on all your computers so they get new DHCP addresses.

I was using some static internal addresses as I run a local DNS server but this time I set detected devices to use DHCP and always use the same IP based on Mac address.

I also set device type eg. desktop, laptop, phone…

Shame no “server” icon :-)

  • save router config now and keep somewhere safe

All Done! (I hope)

Now there has been some discussion on Google+ among my peers on what the sale to Sky will mean for Be and it’s pretty damn good standard of service. Some folks are thinking of jumping to the more geeky (but costly) ISP such as Zen or Andrews & Arnold and some have said that Sky is “not that bad actually”.

We’ll be watching…

Categories: Technical Tags:

Best Android ROM for HTC Desire… Evar!!1!

April 10th, 2012 2 comments

So, I’ve tried many ROMs for my HTC Desire but the latest, Oxygen, has to be the best. If you have a HTC Desire and are looking to give it a new lease of life then I would highly recommend it. Also rooting your phone is easier than ever thanks to Unrevoked.

I formerly used AOSP which is a fairly vanilla Froyo ROM but very stable. I used this ROM for pretty much the last year. However with my upgrade date for my contract due later this year, and the release of quad-core phones throughout 2012, I started to look at custom ROMs again rather than feel jealous about the shiny new models. And to be honest with you – all I use my phone for is to get at GMail, Calender, Remember-the-Milk, Reddit and WhatsApp – no gaming (like I have the time), no video playback (I like battery life for communicating with people), no music playback (I have the excellent Sansa Clip+ thanks). So I figured I can save some cash by keeping the phone and going to a SIM-only contract when it expires. Yeah, new phones have promising stuff like NFC but AFAICT there is no commonplace infrastructure for that yet – hopefully in 2014 when I am ready to upgrade :-)

So back to selecting a ROM: I first tried CyanogenMod 7.1 (probably the custom ROM most people know about) which installed smoothly. However two problems became apparent – a shockingly fast battery drain and unreliable screen auto-rotate (I think the latter might be due to accelerometer driver problems). Thankfully trackball-wake worked otherwise it would not have lasted the two weeks I ran it for. Both of those problems cannot be sustained so I looked around with the words “stable”, “bug free” with “HTC Desire ROM” and found Oxygen which is based on Gingerbread.

I now have what is almost like a new phone – it’s fast, stable and looks smart. For me there are just two small issues – no trackball wake and no way to disable the photo shutter sound – everything else is cool. If you want to install via Clockwork ROM then it will not work, there is currently a broken link to Oxygen. Instead follow this guide and grab version 2.3.2.

Thank you very, very much Oxygen developers/maintainers – enjoy!

Categories: Technical Tags:

Got me a PVR: Humax HDR-FOX T2

March 31st, 2012 No comments

Yes, another step into the 21st Century for the Chaudhry household has been taken with the addition of a PVR (thats “Personal Video Recorder” for the un-initiated). Check photos below, I’m sure the “fox” in the name refers to it’s sleek understated appearance. Hereafter it will be referred to as “Hummy”.

This amazing little black box records Freeview and Freeview HD and does it extremely well. I never really appreciated the power of easy timeshifting of TV content that these allow. It is so easy to bring up the TV schedule for the next few days and choose to record a show or an entire series – all with one button press. Simples! This means I can watch them back at a time to suit me – case in point: this morning at 7am I watched a documentary on spectacular rise and fall of the Hittite Empire from BBC Four :-) It also means that when I’m relaxing with the Missus we can choose to watch something more interesting than “The Kardashians” (btw, I love teasing her by referring to them as “The Cardassians“).

Anyhow, the PVR functionality is not the only thing I bought it for. It can also playback arbitrary digital media such as videos, music and photos. It also has a very decent BBC iPlayer and YouTube “app” built in which is a much more usable effort for a TV form-factor than practically all others I have seen. That said, I’m not giving up my trusty Xbox XBMC systems any time soon. The reason is that even though the “Hummy” can playback hi-def video (e.g. a 3G Avatar blu-ray rip – in mp4 format, not tried mkv yet) and can stream over a network or playback from local USB media – the network streaming is limited to UPnP only. Yes, I can install Mediatomb or Twonky on my LAN Debian server but I already run Samba and NFS already. Given the Hummy runs Linux then why not support these other protocols? They work so well for media streaming dammit (XBMC).

Did I mention that the Hummy runs Linux? Case in point – the HDD is formatted with ext3. This also means it opens up a world of modding potential and a community has of course built up around it over the last 3 years.

If you want to buy one then I would advise looking for a good condition used specimen from an eBay private seller – lots of folks are choosing to go with Virgin Media or Sky to get the premium sports channels and thus selling on their Hummys. Now and again you might see a listing of a Hummy missing the HDD – go for these and you can get a bargain as installing and formatting the HDD is very easy (see blog post above).

OK so a few bad points – HD channel reception is unreliable and I just ignore them even though they look amazing. There are only 5 of them on Freeview HD at present.  Sometimes there is rare signal breakup in SD mode, I have the latest firmware I think so hopefully an update from the Humax will help. I don’t think this is due to my Freeview reception as the Freeview tuner built-in to my TV never had this issue. I would also like some way to turn on and off the TV and Hummy with one button press. I have a Samsung LE32R7 TV so if anyone knows how to do that with the standard remote then let me know. By the way, the 3-digit remote code for this TV I used is 115.

Now excuse me while I find some more shows to fill up my 500G HDD with…

Categories: Uncategorized Tags: