Using BASH to Deal with XMLRPC Brute Force Attacks

Recently, I have been monitoring my Apache logs more than usual. One, because it’s interesting, and two, because I kept getting a database connection error. So I do a

tail -f

on the access.log file, and it comes back with someone trying to send POST requests to the xmlrpc.php file.

Apache Log Files
POST Requests targeting xmlrpc.php

A trace-back on the IP address shows the request coming from a farm house in Eastern Germany. You can pretty much guarantee this traffic is malicious, suspicious, and not so inconspicuous.

IP information
A trackback on the suspicious traffic lead to these results

Because of all this suspicious traffic, there had to be a way to stop them from overloading my server with POST requests. I tried using iptables to add a single address, and it didn’t work. Than I tried to provide iptables with a range. This also failed to stop POST requests once the botnet realized it could just switch IP addresses.

So a security measure needed to be put in place that could actively monitor log files, and ban suspicious traffic.

The BASH script below is how I managed to ban suspicious traffic.

#!/bin/bash
filename="access.log"

while IFS= read -r line; do

    slug=$(echo "$line" | awk '{print $7}')

    method=$(echo "$line" | awk '{print $6}')

    if [[ $slug == "/xmlrpc.php" && $method == "\"POST" ]] ; then

        ip=$(echo "$line" | awk '{print $1}')

        command="iptables -I INPUT -s $ip -j DROP"

        echo $command;

        eval $command

        fi
done < "$filename"

This code runs on a timer every minute. Basically, it opens up the access.log file, loops through all of the traffic, and looks for requests that involve the word “/xmlrpc.php”. If it finds the key word, it grabs the ip address of the requester, and executes a firewall rule to block that ip address.

BASH Script Output
Output of the BASH script

Now, looking at my access.log, I see a removal of all POST requests to the xmlrpc.php files removed from future logs. In conclusion, this method is effective. It’s definitely not the prettiest, but does the job every time.

You Might Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *