How to disable xmlrpc.php?

While monitoring my system I have notices increased number of requests to xmlrpc.php. Every single of those requests took 200MB to 205MB of ram and resulted in system instability and in few occasions it caused my 8GB Digital Ocean Droplet to go out of memory and eventually crashed leaving all my sites not working for some 10hours or so.

Recently I’ve read that many hackers now use xmlrpc.php instead of wp-login.php to execute their brute force attacks. And the problem is – since WordPress 3.5 you can’t disable the use of xmlrpc, at least not from the WordPress control panel.

There are many ways to do that and I’ll write some:

1. Deleting xmlrpc.php file
This is really not recommended. Also after WordPress (auto)update the deleted file will be replaced so it’s not really smart to do this, but I just wanted to write this just in case someone doesn’t try to do this.

2. Plugins
There are several plugins that can do this. I found these two to be the most used ones: Disable XML-RPC and  XML-RPC Pinkback. Both plugins are really basic (only couple lines of code) but they should be able to help you out and protect your blog against those attacks.

3. Adding filter to theme functions.php file
This is basically same thing as the plugin above, but you have one plugin less. All you need to do is to edit your theme’s functions.php and add these couple of lines:

function remove_x_pingback($headers) {
    unset($headers['X-Pingback']);
    return $headers;
}
add_filter('wp_headers', 'remove_x_pingback');
add_filter('xmlrpc_enabled', '__return_false');

4. Block access at .htaccess
You can simply add this one line of code to your .htaccess file and block the access to the xmlrpc.php file entirely. User accessing the xmlrpc.php will get the 403 Forbidden error.

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

5. Blocking access in nginx
If you are running nginx instead of Apache you should add this code to your nginx configuration:

server {
    location = /xmlrpc.php {
        deny all;
    }
}

6. Block on entire server
If you have one server or VPS with tens of hundreds of WordPress installations (like me) any of the solutions above will take time to implement. So the best thing to do is to block access to xmlrpc.php file on Apache level, simply by adding this to httpd.conf file:

<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>

Or even better adding this code (that also blocks wp-trackback.php and also prevent’s trackback hacking attempts).

<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>

If you don’t use XML-RPC than you can safely disable it using any of the methods above (except the first one, of-course) and protect your blog against xmlrpc hacks.


RESTRICT_SYSLOG is disabled error at CSF

Few days ago I noticed the following error at CSF:
WARNING: RESTRICT_SYSLOG is disabled. See SECURITY WARNING in Firewall Configuration

CSF-Restrict-syslog-is-disabled

Here is easy solution how to solve this:

1. Login to WHM
2. Home > Plugins> ConfigServer Security & Firewall > Firewall Configuration
3. Set RESTRICT_SYSLOG to 3 (which is the default value), save and restart CSF

Thats it!


How to fix Openssl Heartbleed vulnerability

What’s Heartbleed vulnerability (CVE-2014-0160)?
A serious OpenSSL vulnerability has been found, and is named Heartbleed and it affected all servers running OpenSSL versions from 1.0.01 to 1.0.1f. This vulnerability can be used to get the Private key of a SSL connection, so it is important to update / patch your server immediately. This bug is fixed in OpenSSL version 1.0.1g. All major Linux Distros have already released updates for Hartbleed vulnerability.

How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160)?
Login to your SSH and execute following command to get the installed version number of OpenSSL:

openssl version

The result should be something like this:

openssl version
OpenSSL 1.0.1e 11 Feb 2013

If the version is below 1.0.1g your server might be vulnerable and you should patch it (see how below).
If your server is using a 0.9.8 release like it is used on Debian squeeze, then the server is not vulnerable as the HeartBleed function has been implemented in OpenSSL 1.0.1 and later versions only.

openssl version
OpenSSL 0.9.8o 01 Jun 2010

Fixing the Heartbleed vulnerability
CentOS and Fedora:

yum update

Ubuntu and Debian:

apt-get update
apt-get upgrade

OpenSUSE:

zypper update

Ok, now what?
After this you should restart all the services using OpenSSL but better idea is to restart the whole server just in case.

You can also verify on following site if you successfully closed the Heartbleed security hole on your server: http://filippo.io/Heartbleed/


When CSF firewal is enabled – ping reports lots of lost packets

I use just-ping.com when I need to ping my servers from various locations in the world to see if it’s working right. I have noticed that when CSF Firewall is installed and active I get losts of lost packets when trying to ping the server, but when I disable it – results are okay. The solution for this is to increase the ICMP_IN_RATE value from 1/s to 30/s.

To do so login to your WHM go to ConfigServer Security & Firewall and there click on Firewall Configuration button and on that page locate ICMP_IN_RATE (CTRL+F can help you locate it) and then increase it’s value from 1/s to 30/s. Scroll all the way down and pres “Change” button to save the changes. Restart the firewall and test it again.

Here’s a screenshot of what you need to chage:
csf ping problem solution

Now you should have good ping results at just-ping.com 🙂

04.12.2014 Update: Looks like the just-ping (now on new address cloudmonitor.ca.com) changed the way their service works. Now they ping you instantly from all places at once and CSF firewall will block most of these out and you’ll get lost packets in report. So for the testing you should set ICMP_IN_RATE to 0 – that will disable it – and then you can do tests. Other way around it to set it to fairly large number (200 or even bigger). Don’t forget to restart CSF + LFD in order these changes to apply.


How to change proftp FTP password from SSH shell

Today I have got a request from a client that has a server with no control panel on it to change one ftp password. Server is using proftpd as it’s ftp server. This is really easy task to do if proftp is setup by default and uses /etc/passwd for storing it’s passwords.

If you know username all you need to do is type in

passwd USERNAME

(replace USERNAME with actual username), enter new password two times and you’re done.

If you however don’t know the username (and that can happen too) you can open /etc/passwd file and try and locate it in there.

Tags: proftpd change password, proftpd change user password, change proftpd password, proftpd password change, change ftp password proftpd, change password proftpd, proftpd default password, how to change password ProFTPD

How to install CSF firewall

In order to protect your server the best way possible, beside running iptables you should install some additional software. I can recommend ConfigServer Security & Firewall. I’m using it on couple of servers right now and it’s prove it self to be stable and low on resource usage. It also has WHM/cPanel plugin that helps you managing your firewall even if you’re not very experienced user/admnin.

Before installing you must be sure that you do not have any other firewalls installed (such as APF)
Installation is really simple. You just need to run those couple of commands in SSH:

cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Don’t forget to disable testing flag by setting TESTING = 0.
You can do that easily in WHM/cPanel: after logging in at WHM and in Plugins section of sidebar you’ll find “ConfigServer Security&Firewall”. Then click on Firewall Configuration and change testing value. Save it and restart firewall and there you go! Your CSF firewall is up and running!

csf firewall cpanel plugin

Continue Reading


How to setup and use iptables

What’s iptables?
Iptables is the current Linux firewall and routing service. It controls incoming and outgoing network

How to stop/start/restart iptables?
Basically just like any other Linux service:

# service iptables start
# service iptables stop
# service iptables restart

How to check if iptables is currently running?
Simply call service status and take a look at the result:

# service iptables status
Firewall is stopped.

If you run “service iptables status” and get “Firewall is stopped.” that means that iptables are not running and you should start it with “sertvice iptables start”. If you get some tables with bunch of geek stuff that means that iptables are running.

How to automatically start iptables service on Linux boot?
To enable iptables starting on boot run

# chkconfig iptables on

or run code below to disable it

# chkconfig iptables off

How to block IP address using iptables?
This will block IP from accessing your server. Be careful not to block your IP address.
In command below replace “192.168.0.4” with correct IP address.

# iptables -A INPUT -s 192.168.0.4 -j DROP

After blocking the IP address (adding it to the iptable rules) you must restart iptables calling:

# service iptables restart

How to unblock IP address using iptables?
Similar to blocking, just use ACCEPT instead of DROP:

# iptables -A INPUT -s 192.168.0.4 -j ACCEPT

And after allowing that IP you must also restart iptables:

# service iptables restart

You can also flush your iptables rules by using:

# iptables -F

This will remove all custom added rules.

How to see current rules?
Simply by running following command:

# iptables -L

How to save iptable rules?
Rules created with the iptables command are stored in memory. If the system is restarted before saving the iptables rule set, all rules are lost. For rules to persist through a system reboot, they need to be saved. To save rules, type the following command:

# iptables-save > /etc/iptables.rules

How to load iptable rules?
To load previously saved rules execute:

# iptables--restore < /etc/iptables.rules

How to load iptable rules on Linux boot?
There are few ways and can be different on different Linux distributions. This should work on CentOS. To load rules on system boot make file /etc/init.d/iptableslr

# vi /etc/init.d/iptableslr

and add these two lines to it:

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

The file needs to be executable so change the permissions:

# chmod +x /etc/init.d/iptables
Tags: service iptables status

Security by obscurity

This simple guide will help you secure your server in indirect way by hiding software versions from possible attackers. This can help you prevent many automated attacks and attacks based on software version number. If a hacker want’s to probe your system for hole he’ll start from collecting all version numbers from your running services. This guide will teach you setup common services not to give away their version numbers. This is called Security by obscurity and it’s not something to rely on but it can lower chances of getting your system hacked.

Apache (Web Server)
Let’s start with Apache first. It’s config file should at path

/etc/httpd/conf/httpd.conf

Open that with an editor of choice. I allways suggest Midnihgt Commander but you can use ant other editor like pico or vi. In Midnignt Commander open file for editing by pressing F4 while the file is selected.

Locate those two lines and set it as follows. If you cant find them – add them.

ServerSignature Off
ServerTokens Prod

Server Signature will remove the identification of Apache version from error pages, and ServerTokens will identify Apache as “apache” without version number or OS information. Save the file and restart the Apache.

service httpd restart

Named (DNS Server)
Next we will disable named from giving away his version. Open named config file at path

/etc/named.conf

Search for line

query-source address * port 53;

Add a line right below it with add (if it doesn’t exist)

version "Named";

Save and restart named using

service named restart

Exim (Email Server)
Next we will disable the version numbers in Exim. If you are not running Exim there is no need to do this section. Exim config is at path

/etc/exim.conf

and if it could not be located, it probably means that you do not use Exim. Search for

smtp_banner = "${primary_hostname

This is the welcome message for the email server. You can put anything in here. Here’s a sample message

smtp_banner = "${primary_hostname} MailServer \n\We do not authorize the use of this system to transport unsolicited, \n\and/or bulk e-mail."

Save the config and restart Exim.

service exim restart

Remeber this is just security though obscurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place by automated scanning. It will not help at all if somebody is trying to actually hack the server.

Continue Reading

Tags: (bitcoin security by obscurity 2017)