Home / server / Questions / 778831
In Process
Kornel
Asked: 2016-05-25 15:13:00 +0800 CST

How to block an attack on Wordpress using UFW on Ubuntu server?

  • 772

On ny Ubuntu 14 box I have weird activity looking like attack on Wordpress page. Apache log shows a lot's of this:

191.96.249.54 - - [25/May/2016:00:46:57 +0200] "POST /xmlrpc.php HTTP/1.0" 500 585 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [25/May/2016:00:46:58 +0200] "POST /xmlrpc.php HTTP/1.0" 500 585 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [25/May/2016:00:46:59 +0200] "POST /xmlrpc.php HTTP/1.0" 500 585 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [25/May/2016:00:47:00 +0200] "POST /xmlrpc.php HTTP/1.0" 500 585 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

It look exactly like the situation described here: http://blog.carlesmateo.com/2014/08/30/stopping-and-investigating-a-wordpress-xmlrpc-php-attack/

The first thing which cane to my mind was to block those guys with iptables so I put:

iptables -A INPUT -s 191.96.249.54 -j DROP
iptables -A INPUT -s 191.96.249.53 -j DROP

But it kept going.

Because I use UFW I added UFW rules:

ufw deny from 191.96.249.54 to any
ufw deny from 191.96.249.53 to any

But nothing improved. Then I disabled UFW and it stopped!

Mu UFW rules are (ufw status):

Status: active

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
143                        ALLOW       Anywhere
993                        ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
465/tcp                    ALLOW       Anywhere
Anywhere                   DENY        191.96.249.54
Anywhere                   DENY        191.96.249.53
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
143 (v6)                   ALLOW       Anywhere (v6)
993 (v6)                   ALLOW       Anywhere (v6)
25/tcp (v6)                ALLOW       Anywhere (v6)
465/tcp (v6)               ALLOW       Anywhere (v6)

Then I realized that the very first rule is to allow http... So I deleted it and added it again so now it's at the end of the chain. It helped. Apparently I should insert the blocking rule like this: 

ufw insert [position] [theRule]

Am I right? Well apparently it worked, but is it good practice or should I do it other way?

ufw

1 Answers

  1. I suggest learning about ipset.

    And similarly to the UFW situation, iptables -A appends a new rule at the end of the netfilter chain. Which means that if there had been a matching rule before the rules you've added, your rules will not trigger.

    So, in your case, you should have entered

    iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

    which, by default, inserts the rule at the first position in the chain.

    Check the complete chain using the command iptables-save.

    Now, changing iptables rule chain everytime you get an attack will be very problematic, and fraught with danger, especially since you're using a 'blanket DROP'. Plus the necessity of having to delete the rules.

    So, use ipset. Here's a good guide with great examples and some analysis on performance impact:

    http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/

    The key thing to do is to enter these two commands:

    ipset create blacklist hash:ip hashsize 4096
iptables -I INPUT -m set --match-set blacklist src -p TCP \
    --destination-port 80 -j DROP

    Now you can simply add suspicious IP addresses to the set blacklist, and never have to contend with rules processing order again.

    • 4