Ukranians, WordPress and xmlrpc.php
On this sunny day of February 28, 2016, the year of our Lord, I woke up with a bunch of emails telling me MySQL db on this fine server has been going down a whole number of times.
SSH didn't work, until it did. At which point I could not execute any command because OS could not fork anything due to the lack of free memory.
Once the top command managed to work I saw that everything was dominated by a big array of apache2 processes, which indicated some sort of DOS attack.
After a nice reboot (and a backup in between, of course!) I took a look at the logs and discovered a whole bunch of accesses like such:
185.93.185.249 - - [28/Feb/2016:21:40:49 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.247 - - [28/Feb/2016:21:41:10 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.249 - - [28/Feb/2016:21:41:35 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.247 - - [28/Feb/2016:21:42:22 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.253 - - [28/Feb/2016:21:42:30 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.253 - - [28/Feb/2016:21:42:36 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.253 - - [28/Feb/2016:21:42:52 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.254 - - [28/Feb/2016:21:42:55 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
185.93.185.254 - - [28/Feb/2016:21:44:01 +0000] "POST /xmlrpc.php HTTP/1.1" 500 607 "-" "-"
As first order of business, I moved xmlrpc.php somewhere out of sight (who needs it anyway? I can post shit just fine!) then minimized the number of processes apache can spawn and added some golden rules to iptables:
# block ukranians
iptables -I INPUT -m iprange --src-range 185.93.185.1-185.93.185.254 -j DROP
And now you can read this!