Today I’ve had IPs loading xmlrpc.php thousands of times, without triggering modsecurity. In fact, there was a serious server overload that could be attributed to this. However, I also see that it sometimes does block users, searching for “xmlrpc” in the Hits List does bring results.
How can I troubleshoot this?
Have you enabled XMLRPC protection rules? Can you provide attack details, logs or maybe you’ve captured few requests?
Thanks, it might have been a random failure. I’m seeing the rules are working in the Hits List now.
I’m not trying to figure out why CSF is not blocking repeat offenders, but that’s another story.
I’ve just had this happen again. Hundreds of requests like these, about one per second (I’ve removed the attacker IP):
IP.IP.IP.IP - - [12/Dec/2016:19:14:32 +0100] “POST /xmlrpc.php HTTP/1.1” 200 58043 “-” “-”
Why would something like this not be caught by the rules?
Can you reproduce this scenario?
Yes. I’ve revised a few servers, and the case is the same on all of them. I can see, looking at the “Hits List” in WHM Modsecurity Tools, that the rules are working some of the time.
However, I search the server logs for brute force attacks, and I always find some IPs that have hundreds, even thousands of hits.