Linode state of attack
#200 Henry, Thursday, 22 January 2015 4:44 PM (Category: Network)
(Tags: linode wordpress security)

My Linode still gets plagued with attacks. The biggest attacks are from bots attempting to log in to my Wordpress blogs (wp-login.php), or trying to run the Wordpress API (xmlrpc.php). The login attempts cause a lot of problems and tie up the database and Apache. I am unsure what the xmlrpc attacks actually do, but at times they can max out CPU usage, max out memory, and bring my system to a crawl.

I have resolved these two attacks with a double-pronged approach.

First, I abandoned Wordpress and wrote my own small-footprint blog software. This means there is no wp-login.php and xmlrpc.php on my system. Any requests result in a 404 error and Apache handles that quite well. Secondly, I revamped my cron script that checks for Wordpress access. As any attempt to log in or use xmlrpc is now invalid, I can start blocking IP addresses that make these attempts. I found that the previous version of my blocker had a bug. I fixed the bug, tightened the parameters, tweaked it a little, and now anyone with a persistent attempt at logging in or using xmlrpc will be blocked with iptables. I checked my logs this morning and found several IP addresses had been hammering the login about 5,000 times in a few minutes. These are the attacks that used to bring my system to a crawl, and now they are a brief blip before they are blocked.

I'm feeling happier, but security is a constant process of adjustment and measurement and patching. I might be happier, but I am no less vigilant.