Nobody home

Was looking at my log files today and saw a bunch of IP’s trying to access the xmlrpc.php file over and over again. There are 2 ways you can block these IP’s from trying to access this file and slowing down your website.

Btw, I’m running CentOS 6 and Apache on my server.

  1. Create (or update) an .htaccess file in the root folder where xmlrpc.php file is. At the bottom of the file you can put the following to send the IP a 403 error.
    order allow, deny
    deny from XXX.XXX.XXX.XXX
    deny from XXX.XXX.XXX.XXX
    allow from all
  2. Another way to block the IP is to block them on the firewall using iptables. I have created a script that reads a file of IPs and puts them in iptables.
    $ cd ~/
    $ mkdir iptables
    $ cd iptables
    $ touch blocked.ips block.sh
    Then you need to edit the blocked.ips file to include the IPs you want to block.
    123.123.123.123
    123.123.123.0/20
    etc...
    Here is my block.sh script file.
    #!/bin/bash
    IPT=/sbin/iptables
    SPANLIST="spamlist"
    SPAMDROPMSG="SPAM LIST DROP"
    BADIPS=$(egrep -v -E "^^#|^$" blocked.ips)
    # Create a new iptables spam list if not already there
    $IPT -N $SPAMLIST

    # Delete any existing chain rules
    $IPT --flush $SPAMLIST

    for ipblock in $BADIPS
    do
    $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
    $IPT -A $SPAMLIST -s $ipblock -j DROP
    done

    $IPT -I INPUT -j $SPAMLIST
    $IPT -I OUTPUT -j $SPAMLIST
    $IPT -I FORWARD -j $SPAMLIST

    service iptables save

    Doing this will drop the IP at the firewall and log in the /var/log/messages file. If you don’t like to see the messages in the log file, you can ignore the
    $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
    from the block.sh script.

Enjoy!