我有一个规则来阻止对wordpress xml-rpc的过度调用:
过滤:
failregex = ^<HOST> .*POST .*xmlrpc\.php.* ignoreregex = 监狱:
enabled = true port = http,https filter = php-xmlrpc logpath = /var/log/httpd/access_log maxretry = 6 bantime = 3600 action = iptables[name=PHP_XMLRPC, port=http, protocol=tcp]
这似乎工作,因为我在最近的xml-rpc垃圾邮件攻击期间得到了以下iptables规则:
Chain INPUT (policy ACCEPT) target prot opt source destination MANUAL_BANS all -- 0.0.0.0/0 0.0.0.0/0 fail2ban-PHP_XMLRPC tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain MANUAL_BANS (1 references) target prot opt source destination DROP tcp -- 221.194.47.0/24 0.0.0.0/0 DROP tcp -- 121.18.238.0/24 0.0.0.0/0 DROP tcp -- 221.194.44.0/24 0.0.0.0/0 RETURN all -- 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-PHP_XMLRPC (1 references) target prot opt source destination REJECT all -- 191.96.249.54 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 191.96.249.53 0.0.0.0/0 reject-with icmp-port-unreachable RETURN all -- 0.0.0.0/0 0.0.0.0/0
但是…不知何故,我的Apache服务器继续看到请求:
191.96.249.53 - - [14/Mar/2017:11:51:07 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.53 - - [14/Mar/2017:11:51:04 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.53 - - [14/Mar/2017:11:51:16 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.53 - - [14/Mar/2017:11:51:15 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:13 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:32 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:35 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:36 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:42 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:33 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:44 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 191.96.249.54 - - [14/Mar/2017:11:51:45 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
fail2ban的在线手册说bantime是在几秒钟内,但上面看起来像他们实际上毫秒(即3.6秒,而不是60分钟)? 我错过了什么吗? 怎么还可以httpd仍然看到请求?
我在用
Name : fail2ban Arch : noarch Version : 0.8.10 Release : 3.6.amzn1