New Wordpress XML-RPC Attack

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
gaia
Forum Regular
Forum Regular
Posts: 213
Joined: Tue Jun 09, 2009 12:57 pm

New Wordpress XML-RPC Attack

Unread post by gaia »

CentOS 6.9
ASL 4.0.19-37
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: New Wordpress XML-RPC Attack

Unread post by mikeshinn »

Yes. If you have these rulesets enabled:

https://www.atomicorp.com/wiki/index.ph ... _00_THREAT
https://www.atomicorp.com/wiki/index.ph ... SEC_03_DOS
https://www.atomicorp.com/wiki/index.ph ... C_12_BRUTE

Note: If you use litespeed it doesnt support outbound inspection, so unfortunately what we can do with litespeeds against this very limited. Eventually it will get caught, but the process is much slower.
gaia
Forum Regular
Forum Regular
Posts: 213
Joined: Tue Jun 09, 2009 12:57 pm

Re: New Wordpress XML-RPC Attack

Unread post by gaia »

mikeshinn wrote:Yes. If you have these rulesets enabled:

https://www.atomicorp.com/wiki/index.ph ... _00_THREAT
https://www.atomicorp.com/wiki/index.ph ... SEC_03_DOS
https://www.atomicorp.com/wiki/index.ph ... C_12_BRUTE

Note: If you use litespeed it doesnt support outbound inspection, so unfortunately what we can do with litespeeds against this very limited. Eventually it will get caught, but the process is much slower.
The 1srt rule was the only one not enabled. Can I enable it when I use non local, but a DNS server on the LAN (google compute engine)?

Code: Select all

; generated by /sbin/dhclient-script
search c.lamp-kvm1.internal. 5145307xxxxxx.google.internal. google.internal.
nameserver 169.254.169.254
nameserver 10.240.0.1
CentOS 6.9
ASL 4.0.19-37
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: New Wordpress XML-RPC Attack

Unread post by mikeshinn »

Well for this specific attack, and only this one, you could get away with not turning it on. But in general brute force attacks are stopped better if you can enable all of these. The TI rules are stopping 75% of the attacks we see, so we highly recommend enabling them.
gaia
Forum Regular
Forum Regular
Posts: 213
Joined: Tue Jun 09, 2009 12:57 pm

Re: New Wordpress XML-RPC Attack

Unread post by gaia »

mikeshinn wrote:Well for this specific attack, and only this one, you could get away with not turning it on. But in general brute force attacks are stopped better if you can enable all of these. The TI rules are stopping 75% of the attacks we see, so we highly recommend enabling them.
Thanks for the clarification. but can I enable it when I use non local, but a DNS server on the LAN (google compute engine)?
CentOS 6.9
ASL 4.0.19-37
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: New Wordpress XML-RPC Attack

Unread post by mikeshinn »

Thanks for the clarification. but can I enable it when I use non local, but a DNS server on the LAN (google compute engine)?
You'll have to test their DNS servers yourself to see if they are fast enough for your needs. We recommend you run a local DNS resolver, they are always faster than a network DNS.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: New Wordpress XML-RPC Attack

Unread post by prupert »

mikeshinn wrote:
Thanks for the clarification. but can I enable it when I use non local, but a DNS server on the LAN (google compute engine)?
You'll have to test their DNS servers yourself to see if they are fast enough for your needs. We recommend you run a local DNS resolver, they are always faster than a network DNS.
I also have a preference for local DNS resolvers, but what you are stating is not necessarily true. Sure, the network latency will always be lower, but if the nearby resolver already has the record in it's cache (or is simply faster in resolving) the non-local but nearby resolver will be faster.
Lemonbit Internet Dedicated Server Management
User avatar
hostingg
Forum User
Forum User
Posts: 63
Joined: Mon Mar 18, 2013 6:26 pm
Location: Earth

Re: New Wordpress XML-RPC Attack

Unread post by hostingg »

i have to respectfully disagree, a local socket to a local process is always going to be faster than a remote network query.
If everything was easy, then the world wouldn't need engineers.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: New Wordpress XML-RPC Attack

Unread post by prupert »

hostingg wrote:i have to respectfully disagree, a local socket to a local process is always going to be faster than a remote network query.
I did say that the network latency to a remote server should be higher if compared to using a local server. However, relatively the most time will be consumed by resolving the actual DNS query. So, in some cases, the nearby remote server can be faster. (Even when the network of handing over your query to the resolver is slower.)

(By the way, connections to 127.0.0.1 are NOT using a socket, but they are actual TCP traffic using the local loopback interface.)
Lemonbit Internet Dedicated Server Management
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: New Wordpress XML-RPC Attack

Unread post by scott »

There are actually many fewer system operations connecting to the service over loopback. But hey, at the end of the day if you choose to accept the risk here that is your option. Our official position, dont do it. Use a local server.
Locked