Atomicorp

Security for Everyone
https://forums.atomicorp.com/

New Wordpress XML-RPC Attack

https://forums.atomicorp.com/viewtopic.php?t=8182

Page 1 of 1

New Wordpress XML-RPC Attack

Posted: Fri Oct 09, 2015 12:58 pm
by gaia
https://blog.sucuri.net/2015/10/brute-f ... mlrpc.html

Is it already handled by ASL?

TIA

Re: New Wordpress XML-RPC Attack

Posted: Fri Oct 09, 2015 4:34 pm
by mikeshinn
Yes. If you have these rulesets enabled:

https://www.atomicorp.com/wiki/index.ph ... _00_THREAT
https://www.atomicorp.com/wiki/index.ph ... SEC_03_DOS
https://www.atomicorp.com/wiki/index.ph ... C_12_BRUTE

Note: If you use litespeed it doesnt support outbound inspection, so unfortunately what we can do with litespeeds against this very limited. Eventually it will get caught, but the process is much slower.

Re: New Wordpress XML-RPC Attack

Posted: Fri Oct 09, 2015 7:37 pm
by gaia
mikeshinn wrote:Yes. If you have these rulesets enabled:

https://www.atomicorp.com/wiki/index.ph ... _00_THREAT
https://www.atomicorp.com/wiki/index.ph ... SEC_03_DOS
https://www.atomicorp.com/wiki/index.ph ... C_12_BRUTE

Note: If you use litespeed it doesnt support outbound inspection, so unfortunately what we can do with litespeeds against this very limited. Eventually it will get caught, but the process is much slower.
The 1srt rule was the only one not enabled. Can I enable it when I use non local, but a DNS server on the LAN (google compute engine)?

Code: Select all

; generated by /sbin/dhclient-script
search c.lamp-kvm1.internal. 5145307xxxxxx.google.internal. google.internal.
nameserver 169.254.169.254
nameserver 10.240.0.1

Re: New Wordpress XML-RPC Attack

Posted: Sat Oct 10, 2015 2:02 pm
by mikeshinn
Well for this specific attack, and only this one, you could get away with not turning it on. But in general brute force attacks are stopped better if you can enable all of these. The TI rules are stopping 75% of the attacks we see, so we highly recommend enabling them.

Re: New Wordpress XML-RPC Attack

Posted: Sat Oct 10, 2015 3:39 pm
by gaia
mikeshinn wrote:Well for this specific attack, and only this one, you could get away with not turning it on. But in general brute force attacks are stopped better if you can enable all of these. The TI rules are stopping 75% of the attacks we see, so we highly recommend enabling them.
Thanks for the clarification. but can I enable it when I use non local, but a DNS server on the LAN (google compute engine)?

Re: New Wordpress XML-RPC Attack

Posted: Mon Oct 12, 2015 12:15 pm
by mikeshinn
Thanks for the clarification. but can I enable it when I use non local, but a DNS server on the LAN (google compute engine)?
You'll have to test their DNS servers yourself to see if they are fast enough for your needs. We recommend you run a local DNS resolver, they are always faster than a network DNS.

Re: New Wordpress XML-RPC Attack

Posted: Tue Oct 13, 2015 7:16 am
by prupert
mikeshinn wrote:
Thanks for the clarification. but can I enable it when I use non local, but a DNS server on the LAN (google compute engine)?
You'll have to test their DNS servers yourself to see if they are fast enough for your needs. We recommend you run a local DNS resolver, they are always faster than a network DNS.
I also have a preference for local DNS resolvers, but what you are stating is not necessarily true. Sure, the network latency will always be lower, but if the nearby resolver already has the record in it's cache (or is simply faster in resolving) the non-local but nearby resolver will be faster.

Re: New Wordpress XML-RPC Attack

Posted: Tue Oct 13, 2015 1:40 pm
by hostingg
i have to respectfully disagree, a local socket to a local process is always going to be faster than a remote network query.

Re: New Wordpress XML-RPC Attack

Posted: Wed Oct 14, 2015 2:43 pm
by prupert
hostingg wrote:i have to respectfully disagree, a local socket to a local process is always going to be faster than a remote network query.
I did say that the network latency to a remote server should be higher if compared to using a local server. However, relatively the most time will be consumed by resolving the actual DNS query. So, in some cases, the nearby remote server can be faster. (Even when the network of handing over your query to the resolver is slower.)

(By the way, connections to 127.0.0.1 are NOT using a socket, but they are actual TCP traffic using the local loopback interface.)

Re: New Wordpress XML-RPC Attack

Posted: Wed Oct 14, 2015 4:37 pm
by scott
There are actually many fewer system operations connecting to the service over loopback. But hey, at the end of the day if you choose to accept the risk here that is your option. Our official position, dont do it. Use a local server.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited