New on LowEndTalk? Please Register and read our Community Rules.
Wordpress Layer 7 Protection ?
Advicerxyz
Member
in Help
Hey guys, im currtly having wordpress website, the vps is DDOS protected. but there is attack im suffering and ive read the protection cannot be from the network but from the vps \ server its self...
im suffering from xmlrpc ddos attack.. i would be happy to get advice how to block this kind of attack from my vps...
another question is there a way to limit get request ? they told me layer protection its head \ post request but not get.. so any way to limit also get request in case ill be suffer from this after ill be able to block xmlrpc ?
Comments
Disable xmlrpc
tried with htaccess not working.. its like still reflect all my vps..
Then simply delete the file.
its refelct the whole vps! not only the website its self..
ive block access to xmlrpc.php so how the hacker still dropping down my site with this file!
when im writting down mydomain.com/xmlrpc.php
its says access denied
https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-from-xml-rpc-attacks-on-ubuntu-14-04
For nginx
https://javapipe.com/block-wordpress-xml-rpc-ddos-attacks-with-nginx
Uninstall workpress?
rm -r wordpress
not funny lol..
i used alot of guides mod secuirty fail2ban nginx.. blocking from apache its self from nginx but nothing helping against that
Renaming/Disabling/Deleting or blocking access to xmlrpc.php is never going to help in your issue. (Tried all these tricks already)
Check your http requests log i bet you are facing the same issue i was facing on 2 of my sites regularly even with Voxility Anti-dDos (always on mode)+Cloudflare so once going through http logs i found all these attacks come from other wordpress sites as ping requests so they will always have the word "WordPress" in header thats make it easy to block using nginx or iptables. So all you need to do is return a 444 for all requests containing the word WordPress in header.
Sample Nginx code:
> > if ($http_user_agent ~* "WordPress") { > return 444; > }(444 means the returned http response from nginx is connection closed without response so even if there are hundreds of requests every second still any decent VPS ca handle it without creating much load)
You can also stop it before reaching the apache/nginx server by blocking it using iptables.
I hope my experience of handling this similar issue will help you you
> > > > if ($http_user_agent ~* "WordPress") { > > return 444; > > } >first reall answer and not trolling around..
i need to put it in nginx.conf in server area right?
by the way any guide to block it in the lvl of iptables ?
Yes in server block and thn reload/restart nginx.
There is a detailed guide i will recommend to read for blocking it using iptables here is the link:
https://sysadminblog.net/2016/05/blocking-wordpress-pingback-verification-ddos/
when im using you methods
Okay in first seems like it half working and then crashed and then ive think maybe it cloudflare ?
here the log im getting -
like alot of those anyway to block those from my server ?
Can you post your VPS/Server specs?
That is normal i was getting hundreds of requests like this every second and was able to handle it using that nginx method on a decent VPS without putting so much load on VPS. Once i received 10,000+ requests just from one ip/site in less than 20 minutes.
Can you post your load and cpu usage during the attack?
cpu \ ram seems on normal but website getting too long to respond - i still can ping my vps ip
Post the output of: sar -q
im using nginx as reverse proxy. its seems like apache going down when the guy is DDOS my website, nginx its still up. but there is not request at all (right now not attack, ive checked requests in the attack nginx handle it all with his cache - after 30-40 since he launching attack i see error nginx - like there is no apache few second later nginx also going down
Is apache a must for you? you should give it a try with nginx only. I never faced this issue using nginx only.
It looks like you are receiving a Layer 7 attack known as Wordpress Amplification. This is a common Layer 7 attack type.
Depending on the size you may be able to do something crude like recommended by WebGuru (although you will likely require nginx or another high performance webserver in place of apache):
Alternatively look into DDoS protection (make sure they include Layer 7 protection). Any Layer 7 protection worth its salt should include protection against this extremely common attack type.
> > > > > > if ($http_user_agent ~* "WordPress") { > > > return 444; > > > } > >could you not do something similar using ossec at the iptables level to drop packets with wordpress in the header?
@mycosys You really shoulnt use a Layer 3/4 firewall to filter Layer 7. There will be side effects (false positives of a string match, false negatives when packet split, performance hit), and it of course wont work with https/ssl.
Banning attackers using fail2ban targeting the Wordpress referrer or doing it by hand works even with https/ssl which would thin out the attack given enough time.
You could also give Cloudflares "I am under attack" mode a try which is annoying for legit visitors but should block the wordpress requests assuming they can't execute the necessary javascript.
Blazingfast.io, Reverse Proxy for Website service.
€25 EUR/monthly.
i havent see the request of nginx on top command so ive install ngxtop, threre is 1k request per sec so nginx going down also there is not way to block this layer 7 with csf \ fail2ban? or iptables ? drop it before its coming into the server?
cloudflare im under attack doing the trick(server be up burt heavly loaded) but its kind of annoying
There is a way to make Cloudflare"I am under attack" less annoying. @Advicerxyz if most of your traffic is not from countries that host most websites/vps/servers on internet (usa, uk, france etc) thn you can do a trick and whitelist all those countries from where you get most of your traffic (in my case india, pakistan, bangladesh etc) and show a captcha page to rest of the countries using the CF Firewall and that is free to use in CloudFlare. That trick can work for you but it depends on your type of traffic. Because most of these wordpress attack comes from sites hosted in countries like usa, uk, france etc (check your logs) so if they are not your main source of traffic than you can show them a captcha while whitelisting other countries in firewall.
still nothing... even tried to migrate to uder ddos protected vps, nothing... i understand that xmlrpc ddos protection its from the server side not from the network level
Try the plugin "Wordfence Security" (v6.1.15 is the latest). CSF or other.
its not a brute force... brute force its an easy to migrate.. we are talking here about DDoS attack method that using ping verfiy like 3-5k r/s ... thats what im trying to migrate.. any solution or no one wants to reveal cards ? willing to pay for a solution
There are plenty of services that should protect you against this kind of attack. It's extremely common (its one that almost every 'stresser' / 'booter' has).