Prevent XML-RPC Brute Force Attacks – WordPress on Ubuntu 16.04

Overview

In my foray into cloud hosting, I’ve noticed that a few of our servers started to peak in their CPU usage more than what normal web traffic would cause(2-5% and 10-30% on our t2.medium and t2.small AWS EC2 servers respectively). After looking at the Apache2 logs, I found that there was a significant number of hits trying to look for combinations of phmyadmin, db, sql, and many other url keywords. This is obviously bothersome, but we’re all secure, so it didn’t cause much of an issue.

What did cause worry was the sheer number post requests to the /xmlrpc.php file. The IP addresses appear to be located in russia, and there were a handful different IP addresses that all had very similar origins. I’ve obscured the starts, but the IP range was ***.***.204.7-12. There is obviously enough traffic to blip our CPU usage on the medium server and enough to task the small server in a big way. To be more exact, there were ~78,000 requests in the log originating from those IP addresses over the past few days.

Why Is This Happening To Me?

There are many reasons hackers would like to gain access to your hosting server. One of the major reasons may be to steal resources to mine or farm bitcoin or some other cryptocurrency.

XML-RPC allows for very efficient brute force hacking, as it allows for hackers to check many username/password combinations in one single request. This is all at the cost of giving developers access to remote procedure calls.

XML-RPC Solution: Apache2 Deny From All

As I don’t use WordPress mobile, or other applications/plugins that require external access, I’ll be disabling access from external addresses.

The simplest solution to blocking this type of traffic on an Apache2 server is to simply deny access to the /xmlrpc.php file itself. To do this, you just have to add a few lines to your site configuration files in Apache2.

sudo vim /etc/apache2/sites-available/*yoursitehere*.conf

Your VirtualHost configuration should look something like the example below after adding the bolded lines.

<VirtualHost>
#Some stuff
    <files xmlrpc.php>
      order deny,allow
      deny from all
      # you can allow from your own IPs using the following line
      # allow from ###.###.###.###
    </files>
</VirtualHost>

Finally restart Apache2 and you’re on your way to preventing hackers from eating up your server availability.

sudo service apache2 restart

XML-RPC Solution: Security Plugins

Note: This may be a better solution for those of you who wish to use applications that require XML-RPC to function properly.

There are some security plugins that will either deny access to the file, blog IPs that are abusing the service, or will disable XML-RPC altogether. Jetpack is one of those security plugins that will aid in blocking brute force attacks. WordFence and it’s firewall are really great for blocking IP addresses that are abusing your servers with irrelevant traffic.

Conclusion

If you do decide to utilize a security plugin, keep in mind that their scans and extra filtering procedures may have an adverse effect on your servers speed and responsiveness as well. This is sometimes a necessary evil, but you should plan ahead accordingly.

Blocking access to certain system files may prevent you from accessing certain features. However, you may find your site security more important than whatever feature that may be.

After having denied access to the file, we’re back down to our low utilization on the t2.medium server of <1%. I’m glad to see my CPU Credit Balance stabilize!

Installing, Configuring, and Maintaining MySQL on Ubuntu 16.04 LTS

This will be a relatively short informative blog regarding how to setup and secure an installation of MySQL on Ubuntu.

MySQL Server Installation

Firstly, update your package library and install your MySQL server.

sudo apt-get update
sudo apt-get install mysql-server

You’ll be prompted to create a root password during the installation. Make sure it’s a complicated password that you’ll remember, because you’ll be needing it.

MySQL Server Configuration

You’ll want to be sure to harden security on your MySQL installation by running the security script.

sudo mysql_secure_installation

This will prompt you to enter your root user password that you created during installation.

Firstly, the setup will ask if you would like to install a VALIDATE PASSWORD PLUGIN that can test passwords and improve security. If you’re the only one administering databases and are diligent about using great passwords, you opt-out.

Second, it will ask if you’d like to change the root password. If you’re having second thoughts about your password strength, you can change it now.

Third, it will ask if you would like to remove anonymous users. I typically use applications like WordPress and Magento, so I always have database users created out of the gate. I opted to remove anonymous users, but you may decide to run this script again before launching your site and remove them at a later date.

Fourth, it will ask if you would like to disallow root user remote access. I strongly suggest enabling this, especially considering that we’ll have phpMyAdmin installed shortly, removing any need for this.

The last two questions are to remove the test database, and to reload the privilege table, both of which I answered yes, as I won’t be needing the test database, and the privileges are important.

Server Status

To check the status of MySQL server you can run the sudo service mysql status command. If the server is not running, you can start it with sudo service mysql restart or sudo service mysql start.

Reset MySQL Root Password

You may find yourself in the situation that you have forgotten your root password. This recently happened to me after I jumped into a server that I had not maintained in quite some time (it was development, don’t worry).

The first step to resetting your password is to gain access to the terminal (ssh is typically what I use). Once you’re in, you’ll want to stop the MySQL service.

sudo service mysql stop

Once you’ve stopped running your server, you’ll need to prep the next command by creating a folder for it to access.

sudo mkdir /var/run/mysqld
sudo chown mysql: /var/run/mysqld

You can start the server with a few options that I’ll explain.

sudo mysqld_safe --skip-grant-tables --skip-networking &

The --skip-grant-tables flag turns off the need for authentication, and the --skip-networking flag turns off the ability to access the database remotely (important when authentication is disabled).

Once you’ve run the server, enter the mysql command line tool, and change the password.

sudo mysql

For MySQL 5.7.6 and later:

ALTER USER 'root'@'localhost' IDENTIFIED BY 'YourNewPassword';

For MySQL 5.7.5 and earlier:

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('YourNewPassword');

Then you’ll need to reboot your MySQL server.

#Shut down MySQL
sudo mysqladmin -S /var/run/mysqld/mysqld.sock shutdown

#Start the MySQL service normally.
sudo service mysql start

From there on out, you can use whatever you set as YourNewPassword to access root functionality.

Conclusion

MySQL is fun. Don’t get bogged down with the basics! With this basic installation information, you’ll be well on your way to working with databases and enjoying all that relational databases have to offer!

Cheers,
Cole Speelman

My Favourite Stock Photo Sites

I’m sure it’s not just me that finds it incredibly hard to find relevant stock photos. For those of you in perpetual search of good stock images, look no further.

This is a list of my current favourite stock photo sites with a Creative Commons Zero license (CC0) images.

Pixabay

This site is usually the first site I visit when I go on the search. You may need to create an account to download the highest resolution image, but it’s not the type of account that will land you on a spam list. This site has my personal seal of quality.

IM Free

Lots of great stuff here. A little more than stock photos is offered here. The site includes many items including templates and icons. What more could you want from a site giving you free stuff! Stop complaining!

Unsplash

Ten new stock photos every. My favourite feature on this site would be the collections. This feature makes it that much easier to find a consistent set of free images for you to use. Bravo Unsplash… Bravo.

FancyCrave

This site features an awesome layout and great navigation. The images are super vibrant and are really quite eye catching. Quality is definitely king on this site. I’ve used it many a time and am thankful for its existence.

Gratisography

I saved the best for last. I absolutely love this site. Some of the images leave me completely incredulous while others are just plain bizarre or creepy. It’s great fun taking a look through when you’re bored. Thank you Ryan McGuire.

The Value Of Good Web Design

I came across an article on one of my favourite blogs/websites and thought I’d share. I encourage everyone who reads this to continue on and read the original article as well.

I, Website

I was having a conversation with a friend recently about the value of being unique in video game creation. The conversation led me to think about how I evaluate different things in my life. I found myself asking questions I may not have thought to ask myself when making assessments. Should we value unique idea more than ideas that are recycled? What if the execution of the recycled is better than the original? Should we give appreciation to those that create, or those that revolutionize?

Our conversation and the above article made me think about the way programmers create in modern society. We live in a world where open source affords us the incredible ability to steal ideas and cheat our way through solutions, but find ourselves contributing to the community instead. We find dedicated communities that build amazing solutions to problems that we all have, and are all able to share in the value of a finished project.

That left me to think about how we build websites (or anything with code, really). Are we stealing every time we use a code snippet or open source project? Should our work be devalued for using an existing solution to supplement one of our own? Where do we draw the line, as developers, in saying that something is built from scratch? Can we consider anything built from scratch?

As we build better creation tools, higher level programming languages, abstracted development processes, scratch becomes farther and farther from where we started. For example, tools like Sass and Less allow us to create CSS programmatically and save time. Does this mean the final product has a lesser value because we were able to complete it with greater ease and in less time? Should we assign it a greater value, considering the extra time and effort that went into learning the tools? The answer seems pretty simple when it comes to investing time into learning another language, but where does that answer land when we look at website building tools like Squarespace?

I’ve seen web developers go from writing lines of HTML, CSS, and JavaScript for hundreds of dollars to dragging and dropping widgets for thousands.

I guess it all comes down to the end result.

What’s in a name? That which we call a rose
By any other name would smell as sweet.

Fun Lorem Ipsum

I think it’s safe to say that anyone developing or designing has used Lorem Ipsum at some point. Lorem Ipsum, to break it down to its basic use, is dummy text. It helps developers/designers see what real content in an area would look like. This helps when you’re looking to change line-height, font sizes, font faces, or many other options. It also helps developers create sections that flow with the amount of content that will be input.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed sodales maximus ipsum, vitae sodales orci luctus a. Vestibulum feugiat bibendum ex, sed elementum dolor bibendum faucibus. Sed non metus nibh. Donec at feugiat felis. Integer at nisl libero. Sed congue dignissim dignissim.

As you can see, it can be quite boring. So, a few good people decided to spice things up a bit. Here’s a few of my personal favourites, and their links for you to use.

Samuel L. Ipsum (censored for content, sorry)

Look, just because I don’t be givin’ no man a foot massage don’t make it right for Marsellus to throw Antwone into a glass mother******’ house, ******’ up the way the ****** talks. Mother****** do that **** to me, he better paralyze my ***, ’cause I’ll kill the mother******, know what I’m sayin’?

Hipsum

Pabst pitchfork salvia, craft beer heirloom gochujang four loko pickled. Cronut sartorial kickstarter YOLO green juice, seitan biodiesel. Quinoa four dollar toast cornhole knausgaard plaid cred. Ethical keytar pickled, gluten-free wolf vinyl art party tacos butcher master cleanse typewriter austin.

Cupcake Ipsum

Cupcake ipsum dolor. Sit amet dessert jelly-o powder cake lemon drops halvah gummies. Sweet bonbon halvah powder sweet muffin. Cookie croissant pudding pudding. Topping brownie icing chupa chups sugar plum bear claw. Sweet roll sugar plum cookie candy canes dragée donut bear claw.

Bacon Ipsum

Bacon ipsum dolor amet shoulder corned beef pork chop porchetta swine prosciutto frankfurter ball tip venison cow. Alcatra spare ribs frankfurter beef ribs pork cow. Ground round swine tri-tip, pig kielbasa short loin beef hamburger. Shankle porchetta pork capicola salami leberkas biltong short loin.

Enjoy!

Hello World

I’ve finally decided that I would like to have a blog.

Why a blog? Mainly, I’d like to resolve and track problems while having a recorded set of instructions that I can visit when the problem eventually turns up again. Partially, I’m getting tired of all the nonsense on social media, and would like a more intellectually stimulating outlet to air my thoughts.

That leaves me with the task of writing my first blog and setting the tone for future blogs to come. To that, I say what I’ve been conditioned to output on any primary run.

Hello World!