This is in continuation to the post which I missed adding.
To block xmlrpc.php attacks we have been using CSF firewall with custom rules as explained below :
nano -w /etc/csf/csf.conf
Replace
CUSTOM1_LOG = "/var/log/customlog"
with bellow :
CUSTOM1_LOG = "/usr/local/apache/domlogs/*/*"
add below custom script to
nano -w /usr/local/csf/bin/regex.custom.pm
# Block IP if more than 10 requests in 3600 for wp-login
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","10","80,443","1");
}
# Block IP if more than 10 requests in 3600 for xml-rpc
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443","1");
}restart csf / lfd :
csf -r service lfd restart
You will start seeing logs as below :
server02 lfd[3737725]: (WPLOGIN) WP Login Attack X.X.X.X (US/United States/-): 10 in the last 3600 secs - Blocked in csf [LF_CUSTOMTRIGGER]