Results 1 to 13 of 13

Thread: Forbid serverwide access to xmlrpc.php

  1. #1
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,122

    Forbid serverwide access to xmlrpc.php

    I stumbled on this solution, which is to be put in the httpd.conf file of apache (I don't have nginx).
    Code:
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Deny from all
    </FilesMatch>
    What is the best way to do this?
    Copy a httpd.conf to /usr/local/directadmin/custombuild/custom/ap2 and then put this code somewhere in there? If yes where is the best place to put it in the config?

    If no, what is a better solution?
    Greetings, Richard.

  2. #2
    Join Date
    Aug 2015
    Posts
    110
    Same question, but then for Apache with nginx as reverse proxy.

    Do I need to put in httpd.conf. file as or this

    Code:
    location = /xmlrpc.php {
    	deny all;
    	access_log off;
    	log_not_found off;
    }
    in nginx.conf file?

  3. #3
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,122
    Looks to me the nginx.conf as I found on the same site I found my code:
    5. Blocking access in nginx
    If you are running nginx instead of Apache you should add this code to your nginx configuration:
    server {
    location = /xmlrpc.php {
    deny all;
    }
    }
    Greetings, Richard.

  4. #4
    Join Date
    Mar 2007
    Posts
    76
    We are also looking into this.

    Your solution generates a 404 error. This is not a solution for us, because there is still a page hit.
    We would like to forbid the action (HTTP 403)

    This can be done with mod_rewrite.
    But this causes issues with existing modrewrite rules.

    I am adding this above al virtualhosts in apache.

    Code:
    <Location />
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$ [NC]
    RewriteRule ^(.*)$ - [F]
    </Location>

  5. #5
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,122
    A 403 would indeed be better. Thank you for sharing.
    Greetings, Richard.

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,551
    Hello,

    We use this:

    Code:
            <Files xmlrpc.php>
                Order allow,deny
                Deny from all
                ErrorDocument 403 "Sorry, you are not allowed to view this page!"
            </Files>
    it gives no page hit.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  7. #7
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,122
    You also put that in the Virtualhost file Alex?
    Greetings, Richard.

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,551
    Yes, it's under Virtualhost in templates...and the directive

    Code:
    ErrorDocument 403 "Sorry, you are not allowed to view this page!"


    overwrites user's defined instructions for ErrorDocument 403 and no PHP script is ever triggered.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  9. #9
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,122
    So if I'm correct we can copy the httpd-vhost.conf template to the /custom/ap2/extra directory, adjust it, rebuild apache and then this should stay also in there after upgrades, correct?
    Greetings, Richard.

  10. #10
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,551
    Feel free to try your way.

    I'm using this https://help.directadmin.com/item.php?id=2
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  11. #11
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,122
    Oh LoL, I was thinking about the wrong one.
    However, these configs have al those pipelines in front and after and endif statements.
    I've never use all that before.

    Can I just put that code in there? Without pipes and endifs etc.?
    Is only the virtualhost2.conf and virtualhost2_secure needed or do I need to put the code in all 4 of the virtualhost2* templates somewhere?
    Greetings, Richard.

  12. #12
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,551
    Add it before the final

    Code:
    </VirtualHost>
    in all 4 templates.
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  13. #13
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,122
    Great, thank you!
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •