{"id":3141,"date":"2014-09-24T21:04:57","date_gmt":"2014-09-24T21:04:57","guid":{"rendered":"http:\/\/www.deuzebranaweb.com.br\/?p=3141"},"modified":"2014-09-24T21:04:57","modified_gmt":"2014-09-24T21:04:57","slug":"htaccess-regras-para-parar-ddos-post-flooding","status":"publish","type":"post","link":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/2014\/09\/24\/htaccess-regras-para-parar-ddos-post-flooding\/","title":{"rendered":".htaccess regras para parar DDoS POST flooding"},"content":{"rendered":"

Como ja havia citado no posta abaixo:<\/p>\n

http:\/\/www.deuzebranaweb.com.br\/2014\/09\/24\/scripts-milagrosos-para-bloquear-ataques-ddos-utilizando-o-iptables\/<\/p>\n

 <\/p>\n

<Limit POST>\nDeny from all\n<\/Limit><\/code><\/pre>\n
While monitoring hits to this blog, I recognize that the file which received most hits is xmlrpc.php<\/code>. I was surprise because I don\u2019t use XML-RPC for remote access, posting at all. I guess the problem may comes from bots, spammers or even hackers. So I decided to disable XML-RPC<\/strong> completely and here is how I did that.<\/p>\n
What is XML-RPC?<\/h2>\n
According to Wikipedia<\/a>, XML-RPC<\/strong> is a R<\/strong>emote P<\/strong>rocedure C<\/strong>all (RPC) protocol which uses XML<\/strong> to encode its calls and HTTP as a transport mechanism. XML-RPC also refers generically to the use of XML for remote procedure call, independently of the specific protocol.<\/p>\n
Briefly, you use XML-RPC when you want to do something remotely to your blog such as posting, viewing comments, etc.<\/p>\n
How XML-RPC is used in WordPress?<\/h2>\n
By default, WordPress 3.5+ enables XML-RPC automatically<\/strong><\/a>! It was under user control in previous versions but that option was removed in version 3.5 as WordPress thinks it should be enable by default.<\/p>\n
WordPress creates its own API<\/a> for XML-RPC to let us interact (get, read, edit, post, etc.) posts, comments, taxonomies, media, users and even options which means everything!<\/p>\n
But where you can find application of XML-RPC in WordPress<\/strong>?<\/p>\n
The answer is many places:
\n\u2013 Pingback
\n\u2013 JSON API
\n\u2013 iPhone\/Android app
\n\u2013 Remote posting by Microsoft Word for example. Here is guide<\/a>
\n\u2013 Your own apps, perhaps!<\/p>\n
How to disable XML-RPC in WordPress<\/h2>\n
As I said earlier, enabling XML-RPC without knowing about its functionality is no different to open a backdoor for spammers and hackers. It sometimes just wastes your server\/hosting resources. Disable it if you don\u2019t need.<\/p>\n
First of all, you need to turn off XML-RPC functionality in WordPress, using this code (you better put it in a functionality plugin<\/a>):<\/p>\n
    \n
  1. add_filter<\/span>(<\/span> 'xmlrpc_enabled'<\/span>,<\/span> '__return_false'<\/span> );<\/span><\/code><\/li>\n<\/ol>\n
    This simple line tells WordPress to stop all remote requests using XML-RPC. But if you use a tool to check HTTP headers, you still see the link to xmlrpc.php<\/code>:<\/p>\n
    \"disable<\/p>\n
    The present of xmlrpc.php<\/code> in HTTP headers is a sign that tells spammers, bots that I\u2019m still open a door for you. And you keep receiving hits to that door, even all hits are denied by WordPress. That wastes resources!<\/p>\n
    So, to hide xmlrpc.php<\/code> in HTTP response headers, you need the following code (in functionality plugin):<\/p>\n
      \n
    1. add_filter<\/span>(<\/span> 'wp_headers'<\/span>,<\/span> 'yourprefix_remove_x_pingback'<\/span> );<\/span><\/code><\/li>\n
    2. function<\/span> yourprefix_remove_x_pingback<\/span>(<\/span> $headers <\/span>)<\/span><\/code><\/li>\n
    3. {<\/span><\/code><\/li>\n
    4.  unset<\/span>(<\/span> $headers<\/span>[<\/span>'X-Pingback'<\/span>]<\/span> );<\/span><\/code><\/li>\n
    5.  return<\/span> $headers<\/span>;<\/span><\/code><\/li>\n
    6. }<\/span><\/code><\/li>\n<\/ol>\n
      That\u2019s enough for WordPress. From now spammers and bots don\u2019t know URL to xmlrpc.php<\/code> and if they guess<\/em> correct URL, their requests are denied by WordPress<\/strong>.<\/p>\n
      But there\u2019s still a room to improve the performance. Instead of making WordPress handles requests to xmlrpc.php<\/code>, why don\u2019t we make web server like Apache or nginx handle them? Requests will be denied in a lower layer of application, thus improving performance in general.<\/p>\n
      Denied requests to xmlrpc.php<\/code> by Apache or nginx<\/h2>\n
      Jeff Starr at Perishable wrote a very detailed post<\/a> about how to deny request to xmlrpc.php<\/code> using .htaccess<\/code>. The code for .htaccess<\/code> is very simple:<\/p>\n
        \n
      1. <IfModule<\/span> mod_alias<\/span>.<\/span>c<\/span>><\/span><\/code><\/li>\n
      2.  RedirectMatch 403 \/xmlrpc.php<\/span><\/code><\/li>\n
      3. <\/IfModule><\/span><\/code><\/li>\n<\/ol>\n
        or<\/p>\n
          \n
        1. <Files<\/span> xmlrpc<\/span>.<\/span>php<\/span>><\/span><\/code><\/li>\n
        2.  Order Deny,Allow<\/span><\/code><\/li>\n
        3.  Deny from all<\/span><\/code><\/li>\n
        4. <\/Files><\/span><\/code><\/li>\n<\/ol>\n
          If you want to redirect hits to xmlrpc.php<\/code> to another website\/URL, use this code:<\/p>\n
            \n
          1. <IfModule<\/span> mod_alias<\/span>.<\/span>c<\/span>><\/span><\/code><\/li>\n
          2.  Redirect 301 \/xmlrpc.php http:\/\/example.com\/custom-page.php<\/span><\/code><\/li>\n
          3. <\/IfModule><\/span><\/code><\/li>\n<\/ol>\n
            If you\u2019re using nginx, this is the code you should add to server<\/code> block:<\/p>\n
              \n
            1. server <\/span>{<\/span><\/code><\/li>\n
            2.  # stuff<\/span><\/code><\/li>\n
            3.  location <\/span>=<\/span> \/<\/span>xmlrpc<\/span>.<\/span>php <\/span>{<\/span><\/code><\/li>\n
            4.  deny all<\/span>;<\/span><\/code><\/li>\n
            5.  }<\/span><\/code><\/li>\n
            6. }<\/span><\/code><\/li>\n<\/ol>\n
              That\u2019s all. Your blog is fully protected from unexpected remote requests using XML-RPC. And hopefully it saves server resources and improve website performance.<\/p>\n
              \n\n\nhttp:\/\/www.deluxeblogtips.com\/2013\/08\/disable-xml-rpc-wordpress.html\nhttp:\/\/www.linuxquestions.org\/questions\/linux-server-73\/iptables-rate-limit-to-block-ddos-931931\/ http:\/\/www.vivaolinux.com.br\/topico\/Squid-Iptables\/Bloqueando-ataque-DoS-no-Iptables No linux tem algo para o IPtables mas como entra pelo M$ s\u00f3 Deus Sabe. <\/code><\/pre>\n
              ###### Protege contra synflood
              \n\/sbin\/iptables -A FORWARD -p tcp –syn -m limit –limit 1\/s -j ACCEPT
              \necho 1 > \/proc\/sys\/net\/ipv4\/tcp_syncookies###### Protecao contra ICMP Broadcasting
              \n#echo 1 > \/proc\/sys\/net\/ipv4\/icmp_echo_ignore_broadcasts
              \n#echo 1 > \/proc\/sys\/net\/ipv4\/icmp_echo_ignore_all
              \n###### Prote.. Contra IP Spoofing
              \necho 1 > \/proc\/sys\/net\/ipv4\/conf\/all\/rp_filter###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.
              \n\/sbin\/iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1\/s -j ACCEPT
              \n\/sbin\/iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1\/s -j ACCEPT
              \n\/sbin\/iptables -A INPUT -i eth1 -p icmp –icmp-type echo-reply -m limit –limit 1\/s -j DROP
              \n\/sbin\/iptables -A FORWARD -p tcp -m limit –limit 1\/s -j ACCEPT
              \n\/sbin\/iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
              \n\/sbin\/iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1\/s -j ACCEPT
              \n\/sbin\/iptables -A FORWARD –protocol tcp –tcp-flags ALL SYN,ACK -j DROP
              \n\/sbin\/iptables -A INPUT -m state –state INVALID -j DROP
              \n\/sbin\/iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
              \n\/sbin\/iptables -N VALID_CHECK
              \n\/sbin\/iptables -A VALID_CHECK -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
              \n\/sbin\/iptables -A VALID_CHECK -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
              \n\/sbin\/iptables -A VALID_CHECK -p tcp –tcp-flags ALL ALL -j DROP
              \n\/sbin\/iptables -A VALID_CHECK -p tcp –tcp-flags ALL FIN -j DROP
              \n\/sbin\/iptables -A VALID_CHECK -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
              \n\/sbin\/iptables -A VALID_CHECK -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
              \n\/sbin\/iptables -A VALID_CHECK -p tcp –tcp-flags ALL NONE -j DROP## Limitando conex..es na porta 80 #######
              \n\/sbin\/iptables -I INPUT -p tcp –dport 80 -i eth1 -m state –state NEW -m recent –set<\/p>\n
              \/sbin\/iptables -I INPUT -p tcp –dport 80 -i eth1 -m state –state NEW -m recent –update –seconds 1 –hitcount 10 -j DROP<\/p>\n<\/div>\n
              http:\/\/www.vivaolinux.com.br\/topico\/Squid-Iptables\/Bloqueando-ataque-DoS-no-Iptables<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
              Como ja havia citado no posta abaixo: http:\/\/www.deuzebranaweb.com.br\/2014\/09\/24\/scripts-milagrosos-para-bloquear-ataques-ddos-utilizando-o-iptables\/   <Limit POST> Deny from all <\/Limit> While monitoring hits to this blog, I recognize that the file which received most hits is xmlrpc.php. I was surprise because I don\u2019t use XML-RPC for remote access, posting at…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_angie_page":false,"page_builder":"","footnotes":""},"categories":[5,12,7],"tags":[],"class_list":["post-3141","post","type-post","status-publish","format-standard","hentry","category-apache2","category-iptables","category-wordpress"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/posts\/3141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/comments?post=3141"}],"version-history":[{"count":0,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/posts\/3141\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/media?parent=3141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/categories?post=3141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/tags?post=3141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
    Here I use a RedBot.org<\/a> to check HTTP headers. It\u2019s very simple but works better than any tool I\u2019ve used.<\/p>\n