Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Wordpress Layer 7 Protection ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Wordpress Layer 7 Protection ?

Hey guys, im currtly having wordpress website, the vps is DDOS protected. but there is attack im suffering and ive read the protection cannot be from the network but from the vps \ server its self...
im suffering from xmlrpc ddos attack.. i would be happy to get advice how to block this kind of attack from my vps...
another question is there a way to limit get request ? they told me layer protection its head \ post request but not get.. so any way to limit also get request in case ill be suffer from this after ill be able to block xmlrpc ?

«1

Comments

  • Disable xmlrpc

  • @OpticalSwoosh said:
    Disable xmlrpc

    tried with htaccess not working.. its like still reflect all my vps..

  • MikePTMikePT Moderator, Patron Provider, Veteran

    Then simply delete the file.

  • AdvicerxyzAdvicerxyz Member
    edited September 2016

    @MrGeneral said:
    Then simply delete the file.

    its refelct the whole vps! not only the website its self..
    ive block access to xmlrpc.php so how the hacker still dropping down my site with this file!
    when im writting down mydomain.com/xmlrpc.php

    its says access denied

  • Uninstall workpress?

  • rm -r wordpress

  • not funny lol..
    i used alot of guides mod secuirty fail2ban nginx.. blocking from apache its self from nginx but nothing helping against that

  • WebGuruWebGuru Member
    edited September 2016

    Renaming/Disabling/Deleting or blocking access to xmlrpc.php is never going to help in your issue. (Tried all these tricks already)

    Check your http requests log i bet you are facing the same issue i was facing on 2 of my sites regularly even with Voxility Anti-dDos (always on mode)+Cloudflare so once going through http logs i found all these attacks come from other wordpress sites as ping requests so they will always have the word "WordPress" in header thats make it easy to block using nginx or iptables. So all you need to do is return a 444 for all requests containing the word WordPress in header.

    Sample Nginx code:

    > 
    > if ($http_user_agent ~* "WordPress") {
    >   return 444;
    > }
    

    (444 means the returned http response from nginx is connection closed without response so even if there are hundreds of requests every second still any decent VPS ca handle it without creating much load)

    You can also stop it before reaching the apache/nginx server by blocking it using iptables.

    I hope my experience of handling this similar issue will help you you :)

  • @WebGuru said:
    Renaming/Disabling/Deleting or blocking access to xmlrpc.php is never going to help in your issue. (Tried all these tricks already)

    Check your http requests log i bet you are facing the same issue i was facing on 2 of my sites regularly even with Voxility Anti-dDos (always on mode)+Cloudflare so once going through http logs i found all these attacks come from other wordpress sites as ping requests so they will always have the word "WordPress" in header thats make it easy to block using nginx or iptables. So all you need to do is return a 444 for all requests containing the word WordPress in header.

    Sample Nginx code:

    > > 
    > > if ($http_user_agent ~* "WordPress") {
    > >     return 444;
    > > }
    > 

    (444 means the returned http response from nginx is connection closed without response so even if there are hundreds of requests every second still any decent VPS ca handle it without creating much load)

    You can also stop it before reaching the apache/nginx server by blocking it using iptables.

    I hope my experience of handling this similar issue will help you you :)

    first reall answer and not trolling around..
    i need to put it in nginx.conf in server area right?
    by the way any guide to block it in the lvl of iptables ?

    Thanked by 1doughmanes
  • @Advicerxyz said:
    first reall answer and not trolling around..
    i need to put it in nginx.conf in server area right?
    by the way any guide to block it in the lvl of iptables ?

    Yes in server block and thn reload/restart nginx.

    There is a detailed guide i will recommend to read for blocking it using iptables here is the link:

    https://sysadminblog.net/2016/05/blocking-wordpress-pingback-verification-ddos/

  • AdvicerxyzAdvicerxyz Member
    edited September 2016

    @WebGuru said:

    @Advicerxyz said:
    first reall answer and not trolling around..
    i need to put it in nginx.conf in server area right?
    by the way any guide to block it in the lvl of iptables ?

    Yes in server block and thn reload/restart nginx.

    There is a detailed guide i will recommend to read for blocking it using iptables here is the link:

    https://sysadminblog.net/2016/05/blocking-wordpress-pingback-verification-ddos/

    when im using you methods
    Okay in first seems like it half working and then crashed and then ive think maybe it cloudflare ?

  • AdvicerxyzAdvicerxyz Member
    edited September 2016

    here the log im getting -

    5.189.170.237 - - [01/Sep/2016:20:04:53 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.6; http://www.99bangkokcondos.com
    178.63.34.198 - - [01/Sep/2016:20:04:53 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.1.9; http://meanit.nl; verifying pingback from 173.245.49.71
    208.146.35.8 - - [01/Sep/2016:20:04:53 +0200] "GET / HTTP/1.0" 200 4153 "-" "WordPress/3.4.2; http://www.4kore.com
    162.243.126.132 - - [01/Sep/2016:20:04:53 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.9.13; http://sewagecleanuplocal.net; verifying pingback from 185.81.158.135
    46.101.193.144 - - [01/Sep/2016:20:04:53 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.1.12; http://creditcourtagedefrance.fr; verifying pingback from 185.81.158.135
    173.201.196.91 - - [01/Sep/2016:20:04:53 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.1.12; http://lhrla.com; verifying pingback from 185.81.158.135
    108.163.195.170 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 4153 "-" "WordPress/3.5; http://iracheckbook.com
    81.177.140.141 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.4.2; http://besplatniysoft.com
    97.74.24.95 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.1.12; http://www.adesigninc.net; verifying pingback from 108.162.229.63
    188.165.199.60 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 4153 "-" "WordPress/3.2.1; http://bdzoom.com
    5.189.170.237 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.6; http://www.99bangkokcondos.com
    146.247.24.125 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.0.12; http://www.gunthermueller.com; verifying pingback from 185.81.158.135
    194.9.94.155 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 4152 "-" "WordPress/3.3.2; http://dandyinteraction.se
    91.240.238.170 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.2.1; http://www.mgmsystems.pl
    91.236.153.247 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "-
    198.89.127.60 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "-
    194.9.95.236 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.0.12; http://100firsthits.com; verifying pingback from 185.81.158.135
    194.9.95.236 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.0.12; http://100firsthits.com; verifying pingback from 185.81.158.135
    50.63.197.67 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.4.1; http://atpasesignaling.com
    23.91.66.149 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "PHP/5.4.45
    198.199.119.230 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.6; http://www.itsnokia.com
    162.243.126.132 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.9.13; http://sewagecleanuplocal.net; verifying pingback from 185.81.158.135
    59.106.13.157 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.0.12; http://www.lasical.com; verifying pingback from 185.81.158.135
    59.106.19.160 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/2.7.1
    162.243.126.132 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.9.13; http://sewagecleanuplocal.net; verifying pingback from 185.81.158.135
    99.192.201.50 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/3.1.1; http://www.hardcorepassword.net
    173.0.129.83 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.0.1; http://www.divspec.com; verifying pingback from 108.162.229.164
    37.187.155.14 - - [01/Sep/2016:20:04:54 +0200] "GET / HTTP/1.0" 200 11563 "-" "WordPress/4.1.10; http://www.actualidadgoogle.com; verifying pingback from 185.81.158.135

    like alot of those anyway to block those from my server ?

  • @Advicerxyz said:

    when im using you methods
    Okay in first seems like it half working and then crashed and then ive think maybe it cloudflare ?

    Can you post your VPS/Server specs?

  • @Advicerxyz said:

    like alot of those anyway to block those from my server ?

    That is normal i was getting hundreds of requests like this every second and was able to handle it using that nginx method on a decent VPS without putting so much load on VPS. Once i received 10,000+ requests just from one ip/site in less than 20 minutes.

    Can you post your load and cpu usage during the attack?

  • cpu \ ram seems on normal but website getting too long to respond - i still can ping my vps ip

  • @Advicerxyz said:
    cpu \ ram seems on normal but website getting too long to respond - i still can ping my vps ip

    Post the output of: sar -q

  • @WebGuru said:

    @Advicerxyz said:
    cpu \ ram seems on normal but website getting too long to respond - i still can ping my vps ip

    Post the output of: sar -q

    im using nginx as reverse proxy. its seems like apache going down when the guy is DDOS my website, nginx its still up. but there is not request at all (right now not attack, ive checked requests in the attack nginx handle it all with his cache - after 30-40 since he launching attack i see error nginx - like there is no apache few second later nginx also going down

  • @Advicerxyz said:

    @WebGuru said:

    @Advicerxyz said:
    cpu \ ram seems on normal but website getting too long to respond - i still can ping my vps ip

    Post the output of: sar -q

    im using nginx as reverse proxy. its seems like apache going down when the guy is DDOS my website, nginx its still up. but there is not request at all (right now not attack, ive checked requests in the attack nginx handle it all with his cache - after 30-40 since he launching attack i see error nginx - like there is no apache few second later nginx also going down

    Is apache a must for you? you should give it a try with nginx only. I never faced this issue using nginx only.

  • SplitIceSplitIce Member, Host Rep

    It looks like you are receiving a Layer 7 attack known as Wordpress Amplification. This is a common Layer 7 attack type.

    Depending on the size you may be able to do something crude like recommended by WebGuru (although you will likely require nginx or another high performance webserver in place of apache):

    WebGuru said: > if ($http_user_agent ~* "WordPress") {
    return 444;
    }

    Alternatively look into DDoS protection (make sure they include Layer 7 protection). Any Layer 7 protection worth its salt should include protection against this extremely common attack type.

  • @Advicerxyz said:

    @WebGuru said:
    Renaming/Disabling/Deleting or blocking access to xmlrpc.php is never going to help in your issue. (Tried all these tricks already)

    Check your http requests log i bet you are facing the same issue i was facing on 2 of my sites regularly even with Voxility Anti-dDos (always on mode)+Cloudflare so once going through http logs i found all these attacks come from other wordpress sites as ping requests so they will always have the word "WordPress" in header thats make it easy to block using nginx or iptables. So all you need to do is return a 444 for all requests containing the word WordPress in header.

    Sample Nginx code:

    > > > 
    > > > if ($http_user_agent ~* "WordPress") {
    > > >   return 444;
    > > > }
    > > 

    (444 means the returned http response from nginx is connection closed without response so even if there are hundreds of requests every second still any decent VPS ca handle it without creating much load)

    You can also stop it before reaching the apache/nginx server by blocking it using iptables.

    I hope my experience of handling this similar issue will help you you :)

    first reall answer and not trolling around..
    i need to put it in nginx.conf in server area right?
    by the way any guide to block it in the lvl of iptables ?

    could you not do something similar using ossec at the iptables level to drop packets with wordpress in the header?

  • SplitIceSplitIce Member, Host Rep

    @mycosys You really shoulnt use a Layer 3/4 firewall to filter Layer 7. There will be side effects (false positives of a string match, false negatives when packet split, performance hit), and it of course wont work with https/ssl.

  • @SplitIce said:
    @mycosys You really shoulnt use a Layer 3/4 firewall to filter Layer 7. There will be side effects (false positives of a string match, false negatives when packet split, performance hit), and it of course wont work with https/ssl.

    Banning attackers using fail2ban targeting the Wordpress referrer or doing it by hand works even with https/ssl which would thin out the attack given enough time.

    You could also give Cloudflares "I am under attack" mode a try which is annoying for legit visitors but should block the wordpress requests assuming they can't execute the necessary javascript.

    Thanked by 1mycosys
  • Blazingfast.io, Reverse Proxy for Website service.

    €25 EUR/monthly.

  • i havent see the request of nginx on top command so ive install ngxtop, threre is 1k request per sec so nginx going down also there is not way to block this layer 7 with csf \ fail2ban? or iptables ? drop it before its coming into the server?
    cloudflare im under attack doing the trick(server be up burt heavly loaded) but its kind of annoying

  • WebGuruWebGuru Member
    edited September 2016

    @Tion said:

    @SplitIce said:
    @mycosys You really shoulnt use a Layer 3/4 firewall to filter Layer 7. There will be side effects (false positives of a string match, false negatives when packet split, performance hit), and it of course wont work with https/ssl.

    Banning attackers using fail2ban targeting the Wordpress referrer or doing it by hand works even with https/ssl which would thin out the attack given enough time.

    You could also give Cloudflares "I am under attack" mode a try which is annoying for legit visitors but should block the wordpress requests assuming they can't execute the necessary javascript.

    There is a way to make Cloudflare"I am under attack" less annoying. @Advicerxyz if most of your traffic is not from countries that host most websites/vps/servers on internet (usa, uk, france etc) thn you can do a trick and whitelist all those countries from where you get most of your traffic (in my case india, pakistan, bangladesh etc) and show a captcha page to rest of the countries using the CF Firewall and that is free to use in CloudFlare. That trick can work for you but it depends on your type of traffic. Because most of these wordpress attack comes from sites hosted in countries like usa, uk, france etc (check your logs) so if they are not your main source of traffic than you can show them a captcha while whitelisting other countries in firewall.

  • still nothing... even tried to migrate to uder ddos protected vps, nothing... i understand that xmlrpc ddos protection its from the server side not from the network level

  • Try the plugin "Wordfence Security" (v6.1.15 is the latest). CSF or other.

  • its not a brute force... brute force its an easy to migrate.. we are talking here about DDoS attack method that using ping verfiy like 3-5k r/s ... thats what im trying to migrate.. any solution or no one wants to reveal cards ? willing to pay for a solution

  • SplitIceSplitIce Member, Host Rep

    SplitIce said: look into DDoS protection (make sure they include Layer 7 protection). Any Layer 7 protection worth its salt should include protection against this extremely common attack type.

    There are plenty of services that should protect you against this kind of attack. It's extremely common (its one that almost every 'stresser' / 'booter' has).

Sign In or Register to comment.