Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🔒️ Disable xmlrpc by default #1467

Merged
merged 1 commit into from
Feb 12, 2023
Merged

Conversation

retlehs
Copy link
Member

@retlehs retlehs commented Jan 24, 2023

This PR disables xmlrpc.php by default

@retlehs retlehs requested a review from swalkinshaw January 24, 2023 20:44
@retlehs retlehs self-assigned this Jan 24, 2023
@dalepgrant
Copy link
Contributor

Funny. I spent yesterday checking this out after seeing increased activity on a few of our servers. There is also https://github.com/ItinerisLtd/trellis-disable-xml-rpc. I do like being able to set this per site though as this PR implements

@retlehs
Copy link
Member Author

retlehs commented Jan 25, 2023

There's also some new-ish fail2ban rules you can enable FYI:

# Enable built-in fail2ban services or add your own custom ones
fail2ban_services_custom:
- name: wordpress_xmlrpc
filter: wordpress-xmlrpc
enabled: "false"
port: http,https
logpath: "{{ www_root }}/**/logs/access.log"

@dalepgrant
Copy link
Contributor

dalepgrant commented Jan 25, 2023

There are, thanks Ben 🙏 that's where we ended up yesterday with a todo to look into completely disabling it today/next week. Gotta check all the sites aren't using it first though, AFAIK JetPack still uses it. Top of my head I think we're good as it's not a plugin we'd normally use but a blanket ban without checking is probably a bad idea. Probably.

Edit: added link to related discourse post

@swalkinshaw
Copy link
Member

Jetpack using this makes me slightly iffy about disabling it by default, but probably in favour anyway. Regardless, better to have the option built in.

@PDowney
Copy link

PDowney commented Jan 27, 2023

Jetpack does still use this, but you can whitelist their IP address ranges:

https://jetpack.com/support/how-to-add-jetpack-ips-allowlist/
It would look something like this:

    # Whitelist Jetpack IP ranges
    allow 122.248.245.244/32;
    allow 54.217.201.243/32;
    allow 54.232.116.4/32;
    allow 192.0.80.0/20;
    allow 192.0.96.0/20;
    allow 192.0.112.0/20;
    allow 195.234.108.0/22;

    # Deny all other requests
    deny all;
   }

@swalkinshaw swalkinshaw merged commit d4f46d2 into master Feb 12, 2023
@swalkinshaw swalkinshaw deleted the disable-xmlrpc-by-default branch February 12, 2023 19:04
@strarsis
Copy link
Contributor

strarsis commented Feb 20, 2023

@PDowney: Thanks! So when Jetpack is used, xmlrpc.enabled is set to true and the fail2ban rules you are listing are added instead, correct? This enables xmlrpc globally, but restricts it on the hosts level.

@swalkinshaw
Copy link
Member

That seems correct to me 👍

paulbrzeski pushed a commit to paulbrzeski/trellis that referenced this pull request Mar 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants