Como ja havia citado no posta abaixo:
https://www.deuzebranaweb.com.br/2014/09/24/scripts-milagrosos-para-bloquear-ataques-ddos-utilizando-o-iptables/
<Limit POST>
Deny from all
</Limit>
While monitoring hits to this blog, I recognize that the file which received most hits is xmlrpc.php
. I was surprise because I don’t use XML-RPC for remote access, posting at all. I guess the problem may comes from bots, spammers or even hackers. So I decided to disable XML-RPC completely and here is how I did that.
What is XML-RPC?
According to Wikipedia, XML-RPC is a Remote Procedure Call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. XML-RPC also refers generically to the use of XML for remote procedure call, independently of the specific protocol.
Briefly, you use XML-RPC when you want to do something remotely to your blog such as posting, viewing comments, etc.
How XML-RPC is used in WordPress?
By default, WordPress 3.5+ enables XML-RPC automatically! It was under user control in previous versions but that option was removed in version 3.5 as WordPress thinks it should be enable by default.
WordPress creates its own API for XML-RPC to let us interact (get, read, edit, post, etc.) posts, comments, taxonomies, media, users and even options which means everything!
But where you can find application of XML-RPC in WordPress?
The answer is many places:
– Pingback
– JSON API
– iPhone/Android app
– Remote posting by Microsoft Word for example. Here is guide
– Your own apps, perhaps!
How to disable XML-RPC in WordPress
As I said earlier, enabling XML-RPC without knowing about its functionality is no different to open a backdoor for spammers and hackers. It sometimes just wastes your server/hosting resources. Disable it if you don’t need.
First of all, you need to turn off XML-RPC functionality in WordPress, using this code (you better put it in a functionality plugin):
add_filter( 'xmlrpc_enabled', '__return_false' );
This simple line tells WordPress to stop all remote requests using XML-RPC. But if you use a tool to check HTTP headers, you still see the link to xmlrpc.php
:
Here I use a RedBot.org to check HTTP headers. It’s very simple but works better than any tool I’ve used.
The present of xmlrpc.php
in HTTP headers is a sign that tells spammers, bots that I’m still open a door for you. And you keep receiving hits to that door, even all hits are denied by WordPress. That wastes resources!
So, to hide xmlrpc.php
in HTTP response headers, you need the following code (in functionality plugin):
add_filter( 'wp_headers', 'yourprefix_remove_x_pingback' );
function yourprefix_remove_x_pingback( $headers )
{
unset( $headers['X-Pingback'] );
return $headers;
}
That’s enough for WordPress. From now spammers and bots don’t know URL to xmlrpc.php
and if they guess correct URL, their requests are denied by WordPress.
But there’s still a room to improve the performance. Instead of making WordPress handles requests to xmlrpc.php
, why don’t we make web server like Apache or nginx handle them? Requests will be denied in a lower layer of application, thus improving performance in general.
Denied requests to xmlrpc.php
by Apache or nginx
Jeff Starr at Perishable wrote a very detailed post about how to deny request to xmlrpc.php
using .htaccess
. The code for .htaccess
is very simple:
<IfModule mod_alias.c>
RedirectMatch 403 /xmlrpc.php
</IfModule>
or
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
If you want to redirect hits to xmlrpc.php
to another website/URL, use this code:
<IfModule mod_alias.c>
Redirect 301 /xmlrpc.php http://example.com/custom-page.php
</IfModule>
If you’re using nginx, this is the code you should add to server
block:
server {
# stuff
location = /xmlrpc.php {
deny all;
}
}
That’s all. Your blog is fully protected from unexpected remote requests using XML-RPC. And hopefully it saves server resources and improve website performance.
http://www.deluxeblogtips.com/2013/08/disable-xml-rpc-wordpress.html
http://www.linuxquestions.org/questions/linux-server-73/iptables-rate-limit-to-block-ddos-931931/ http://www.vivaolinux.com.br/topico/Squid-Iptables/Bloqueando-ataque-DoS-no-Iptables No linux tem algo para o IPtables mas como entra pelo M$ só Deus Sabe.
/sbin/iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
echo 1 > /proc/sys/net/ipv4/tcp_syncookies###### Protecao contra ICMP Broadcasting
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
###### Prote.. Contra IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter###### Protecao diversas contra portscanners, ping of death, ataques DoS, pacotes danificados e etc.
/sbin/iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
/sbin/iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp –icmp-type echo-reply -m limit –limit 1/s -j DROP
/sbin/iptables -A FORWARD -p tcp -m limit –limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
/sbin/iptables -A FORWARD –protocol tcp –tcp-flags ALL SYN,ACK -j DROP
/sbin/iptables -A INPUT -m state –state INVALID -j DROP
/sbin/iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -N VALID_CHECK
/sbin/iptables -A VALID_CHECK -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A VALID_CHECK -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A VALID_CHECK -p tcp –tcp-flags ALL ALL -j DROP
/sbin/iptables -A VALID_CHECK -p tcp –tcp-flags ALL FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A VALID_CHECK -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
/sbin/iptables -A VALID_CHECK -p tcp –tcp-flags ALL NONE -j DROP## Limitando conex..es na porta 80 #######
/sbin/iptables -I INPUT -p tcp –dport 80 -i eth1 -m state –state NEW -m recent –set
/sbin/iptables -I INPUT -p tcp –dport 80 -i eth1 -m state –state NEW -m recent –update –seconds 1 –hitcount 10 -j DROP
http://www.vivaolinux.com.br/topico/Squid-Iptables/Bloqueando-ataque-DoS-no-Iptables