Blocking /xmlrpc.php Scans in the Apache .htaccess File

Someone out there on the internet is repeatedly hitting this blog’s /xmlrpc.php service, probably looking to enumerate the user accounts on the blog as a precursor to a password scan (as described in Huge increase in WordPress xmlrpc.php POST requests at Sysadmins of the North). My access logs look like this:

176.227.196.86 - - [04/Sep/2014:02:18:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.136.19 - - [04/Sep/2014:02:18:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.86 - - [04/Sep/2014:02:18:19 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.86 - - [04/Sep/2014:02:18:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.86 - - [04/Sep/2014:02:18:22 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.86 - - [04/Sep/2014:02:18:24 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
195.154.136.19 - - [04/Sep/2014:02:18:24 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
176.227.196.86 - - [04/Sep/2014:02:18:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

By itself, this is just annoying — but the real problem is that the PHP stack is getting invoked each time to deal with the request, and at several requests per second from different hosts this was putting quite a load on the server. I decided to fix the problem with a slight variation from what is suggested in the Sysadmins of the North blog post. This addition to the .htaccess file at the root level of my WordPress instance rejects the connection attempt at the Apache level rather than the PHP level:

Thursday Threads: Twitter Timeline Changes, Report on Future Library Technology, USB Security

Receive DLTJ Thursday Threads:

by E-mail

by RSS

Delivered by FeedBurner

Two weeks in a row! This week’s DLTJ Thursday Threads looks at how Twitter changed its timeline functionality to include things that it thinks you’ll find interesting. Next, for the academic libraries in the audience, is a report from the New Media Consortium on trends and technologies that will libraries will likely encounter in the next five years. Lastly, news about research into how USB devices can spread malware in ways we can’t detect.

Thursday Threads: Payment Card Security, Crap Detection, VoIP in your Hand

Receive DLTJ Thursday Threads:

by E-mail

by RSS

Delivered by FeedBurner

Welcome to the revival of DLTJ Thursday Threads. With the summer over and the feeling of renewal towards this blog and its topics, I’m happy to be back sharing tidbits of technology that I hope you will find interesting. Today’s set of threads covers the gnarly security issues behind the bright-and-shiny chip-on-payment card systems being rolled out by banks and retailers in the U.S., a list of resources for checking things that you read about online, and a heads-up on changes to how your phone will work in the near future.

Thursday Threads: Password Managers, DRM coming to the Browser, Personal Data Brokers

Receive DLTJ Thursday Threads:

by E-mail

by RSS

Delivered by FeedBurner

It is a security/privacy edition of DLTJ Thursday Threads this week. First a link to a 3-page PDF that talks about the use of password managers to keep all of your internet passwords unique and strong. Next a story about how the W3C standards body is looking at standardizing digital rights management for browser content. And finally, a story about a site that one personal data broker put up that gives you a glimpse of what they know about you.

E-mail Phishing Attempts Get Trickier: Fake bounced mail and Fake mail-from-scanner

Two phishing1 attempts made it through the work spam filter earlier this month, and they show the creativity of bad guys as they try to get access to your machine. The attempts at social engineering were interesting enough I thought I’d describe them here. We’re getting pretty close the line where we can’t tell a legitimate e-mail from ones with nasty side effects.

The Fake Bounced Message


This message has the appearance of being a bounced e-mail from a server called ‘cyber.net.pk’.
Screenshot of a fake bounced e-mail message.

Screenshot of a fake bounced e-mail message.

Thursday Threads: Infinite Virtual Bookshelf, Free Learning Management System, List of Cyber Threats

Receive DLTJ Thursday Threads:

by E-mail

by RSS

Delivered by FeedBurner

Part experimental, part disruption, and part heads-up in this week’s edition of DLTJ Thursday Threads. The first story is a proof-of-concept demonstration of a way to browse an “infinite” bookshelf of virtual items. Next is the announcement of how a content producer (Pearson) is trying to disrupt a deeply embedded technology company (Blackboard) by giving away a learning management system in the cloud. Last, a list of what researchers think will be the most prevalent computer security problems next year.

PPTP VPN for iOS with AT&T Uverse and DD-WRT

Wandering into public or semi-public wireless networks makes me nervous because I know how my network traffic can be easily watched, and because I’m a geek with control issues I’m even more nervous when using devices that I can’t get to the insides of (like phones and tablets). One way to tamp down my concerns is to use a Virtual Private Network (VPN) to tunnel the device’s network connection through the public wireless network to a trusted end-point, but most of those options require a subscription to a VPN service or a VPN installed in a corporate network. I thought about using one of the open source VPN implementations with an Amazon EC2 instance, but it isn’t possible with the EC2 network configuration judging from the comments on the Amazon Web Services support forums. (Besides, installing one of the open source VPN software implementations looks far from turnkey.) Just before I lost hope, though, I saw a reference to using the open source DD-WRT consumer router firmware to do this. After plugging away at it for an hour or so, I made it work with my home router, a AT&T U-verse internet connection, and iOS devices. It wasn’t easy, so I’m documenting the steps here in case I need to set this up again.

Encryption of Patron Data in Modern Integrated Library Systems

“How much effort do you want to spend securing your computer systems? Well, how much do you not want to be in front of a reporter’s microphone if a security breach happens?” I don’t remember the exact words, but that quote strongly resembles something I said to a boss at a previous job. Securing systems is unglamorous detail work. One slip-up plus one persistent (or lucky) attacker means years of dedicated efforts are all for naught as personal information is inadvertently released. See, for example, what happened recently with Sony Online Entertainment’s recent troubles.

Thursday Threads: Estimating and Understanding Big Data, Key Loggers Steal Patron Keystrokes

Receive DLTJ Thursday Threads:

by E-mail

by RSS

Delivered by FeedBurner

Two entries on big data lead this week’s edition of DLTJ Thursday Threads. The first is at the grandest scale possible: a calculation of the amount of information in the world. Add up all the digital memory (in cell phones, computers, and other devices) and analog media (for instance, paper) and it goes to a very big number. The authors try to put it in perspective, which for me brought home how insignificant my line of work can be. (All of our information is still less than 1% of what is encoded in the human DNA?) The second “big data” entry describes an effort to make sense of huge amounts of data in the National Archives through the use of visualization tools. Rounding out this week is a warning to those who run public computers — be on the look-out for key loggers that can be used to steal information from users.

Thursday Threads: Unprotected Social Media Sites, Value of Free, and Real Life Net Neutrality

Receive DLTJ Thursday Threads by E-mail! Enter your email address:

Delivered by FeedBurner

This week’s Thursday Threads looks at a big hole in the security model of most internet sites that require you to log into them with a username and password plus a pair of stories about “big media” battles. If you find these interesting and useful, you might want to add the Thursday Threads RSS Feed to your feed reader or subscribe to e-mail delivery using the form to the right. If you would like a more raw and immediate version of these types of stories, watch my FriendFeed stream (or subscribe to its feed in your feed reader). Comments, as always, are welcome.