Juniper SRX Custom IDP Rule – WordPress XML RPC

Quite often people scan for WordPress installs by checking to see if a HTTP request can be made to /xmlrpc.php. Since I do not run WordPress at all it is low hanging fruit to block the source IP that makes a HTTP request for that to my web servers. The following IDP policy rule will block the attacker for a period of 1 hour and also close the connection to the web server.

Custom Attack

This is the actual attack definition. This should be loaded in the security idp configuration tree:

custom-attack HTTP:WORDPRESS:REQUEST-XMLRPC {
    recommended-action none;
    severity minor;
    attack-type {
        signature {
            context http-url-parsed;
            pattern ".*/xmlrpc\.php";
            direction client-to-server;
            shellcode no-shellcode;
        }
    }
}

IDP Policy Rule

To use the above custom attack it will need to be added to your IDP policy. As an example, the IDP policy I use is called Default.Policy, you can load the below configuration into the security idp idp-policy Default.Policy rulebase-ips configuration tree.

rule WordPress-XMLRPC:Block {
    description "Block HTTP requests to /xmlrpc.php";
    match {
        from-zone any;
        source-address any;
        to-zone any;
        destination-address any;
        application default;
        attacks {
            custom-attacks HTTP:WORDPRESS:REQUEST-XMLRPC;
        }
    }
    then {
        action {
            recommended;
        }
        ip-action {
            ip-block;
            target source-address;
            log;
            timeout 3600;
        }
        notification {
            log-attacks {
                alert;
            }
        }
    }
}

Leave a Reply

Your email address will not be published. Required fields are marked *