How to block an attack on Wordpress using UFW on Ubuntu server?

Question

On ny Ubuntu 14 box I have weird activity looking like attack on Wordpress page. Apache log shows a lot's of this:

191.96.249.54 - - [25/May/2016:00:46:57 +0200] "POST /xmlrpc.php HTTP/1.0" 500 585 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [25/May/2016:00:46:58 +0200] "POST /xmlrpc.php HTTP/1.0" 500 585 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [25/May/2016:00:46:59 +0200] "POST /xmlrpc.php HTTP/1.0" 500 585 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [25/May/2016:00:47:00 +0200] "POST /xmlrpc.php HTTP/1.0" 500 585 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

It look exactly like the situation described here: http://blog.carlesmateo.com/2014/08/30/stopping-and-investigating-a-wordpress-xmlrpc-php-attack/

The first thing which cane to my mind was to block those guys with iptables so I put:

iptables -A INPUT -s 191.96.249.54 -j DROP
iptables -A INPUT -s 191.96.249.53 -j DROP

But it kept going.

Because I use UFW I added UFW rules:

ufw deny from 191.96.249.54 to any
ufw deny from 191.96.249.53 to any

But nothing improved. Then I disabled UFW and it stopped!

Mu UFW rules are (ufw status):

Status: active

To                         Action      From
--                         ------      ----
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
143                        ALLOW       Anywhere
993                        ALLOW       Anywhere
25/tcp                     ALLOW       Anywhere
465/tcp                    ALLOW       Anywhere
Anywhere                   DENY        191.96.249.54
Anywhere                   DENY        191.96.249.53
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
143 (v6)                   ALLOW       Anywhere (v6)
993 (v6)                   ALLOW       Anywhere (v6)
25/tcp (v6)                ALLOW       Anywhere (v6)
465/tcp (v6)               ALLOW       Anywhere (v6)

Then I realized that the very first rule is to allow http... So I deleted it and added it again so now it's at the end of the chain. It helped. Apparently I should insert the blocking rule like this:

ufw insert [position] [theRule]

Am I right? Well apparently it worked, but is it good practice or should I do it other way?

same ipadresses where flooding me... – markus May 29 '16 at 20:36 — markus, May 29 '16 at 20:36

score 4 · Answer 1 · answered May 25 '16 at 02:10

I suggest learning about ipset.

And similarly to the UFW situation, iptables -A appends a new rule at the end of the netfilter chain. Which means that if there had been a matching rule before the rules you've added, your rules will not trigger.

So, in your case, you should have entered

iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP

which, by default, inserts the rule at the first position in the chain.

Check the complete chain using the command iptables-save.

Now, changing iptables rule chain everytime you get an attack will be very problematic, and fraught with danger, especially since you're using a 'blanket DROP'. Plus the necessity of having to delete the rules.

So, use ipset. Here's a good guide with great examples and some analysis on performance impact:

http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/

The key thing to do is to enter these two commands:

ipset create blacklist hash:ip hashsize 4096
iptables -I INPUT -m set --match-set blacklist src -p TCP \
    --destination-port 80 -j DROP

Now you can simply add suspicious IP addresses to the set blacklist, and never have to contend with rules processing order again.

How to block an attack on Wordpress using UFW on Ubuntu server?

1 Answers1