Tag Archives: security

DoS attacks Against WordPress XMLRPC

WordPress is the most popular Blog system. But it has a weakness on its design: XML-RPC protocol.

Brute Force Amplification Attacks Against WordPress XMLRPC

This protocol was made to transmit pings and references between blogs, sending/accepting automatic messages between blogs.

I tried several solutions like Manage XML-RPC plugin, but obviously, when you are being attacked, you cannot access to the Dashboard to configure that plugin correctly. Here there are some other suggestions.

I will show you how I proceed to reject the attack.

First, logging the problem: `tail -f /var/log/nginx/access.log`. Then you can see the annoying IP making continuous /xmlrpc.php calls:

163.172.141.185 - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
163.172.141.185 - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
163.172.141.185 - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
163.172.141.185 - - [28/Nov/2016:09:19:11 +0000] "POST /xmlrpc.php HTTP/1.0" 403 177 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"

Second, directly deny the IP in your NGINX config (ie: /etc/nginx/conf.d/base.conf): `deny 163.172.141.185;`.

Nginx just responds with `403 HTTP Forbidden` to any request from this IP.

How to create our web SSL Certificate

Self-signed SSL certificate

In my workday sometimes I had have to create a self-signed SSL certificate (.key and .crt files) to publish a website through Apache or Nginx. I will explain the process in three simple steps:

  • Generate private key without password
openssl genrsa 1024 > web.key
  • Generate a CSR (Certificate Signing Request), this contains all our data to be populated with our certificate:
openssl req -new -key web.key -out web.csr
  • Now we can generate our Self-Signed Certificate valid for 10,000 days:
openssl req -x509 -days 10000 -key web.key -in web.csr -out web.crt

StartSSL certificate

StartSSL.com gives free certificates for subdomains (not wilcard certificates). And is a well known “Certificate Authority” for all common browsers.

You have to sign up at StartSSL.com who will send you a .p12 certificate to authenticate you from your browser, when you log in.

To create a Private Key Certificate go to Certificates wizard > Web Server SSL/TLS certificate, and ask for it.

You will download your ‘server.key’ file for your domain with password. In order to remove server.key password (need that to publish on web):

sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key

Name it as “sudomain.myserver.key”

Hours later you can get .crt file at: Toolbox > Retrieve Certificate

In order to run in all browsers you have to add the Intermediate StartSSL Cert at the end of your .crt file. You can get this .pem at: Toolbox > StartCom CA Certificates > Class 1 Intermediate Server CA

Name it as “sudomain.myserver.crt”

Securing Weblogic with SQLAuthenticator provider

In a previous article we saw how to secure a Web Service with basic authentication (this could be used for every page in our application). We did it creating users with Weblogic Default Authenticator.

Today we will create an SQLAuthenticator in Weblogic, then the server will take users and groups from the data base.

Continue reading Securing Weblogic with SQLAuthenticator provider