Since it was from multiple sources, a blacklist was not helpful and I ended up using a L7 rule to stop all the attacks.
You will see this in your apache access.log Notice them spoofing the googlebot as well to make it look like a web crawler.
62.109.8.59 - - [19/Jan/2017:21:37:03 +1100] "POST /xmlrpc.php HTTP/1.0" 200 790 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
62.109.8.59 - - [19/Jan/2017:21:37:03 +1100] "POST /xmlrpc.php HTTP/1.0" 200 790 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
62.109.8.59 - - [19/Jan/2017:21:37:04 +1100] "POST /xmlrpc.php HTTP/1.0" 200 790 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
51.15.45.53 - - [16/Jan/2017:17:55:08 +1100] "POST /xmlrpc.php HTTP/1.0" 200 790 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
51.15.45.53 - - [16/Jan/2017:17:55:08 +1100] "POST /xmlrpc.php HTTP/1.0" 200 790 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
51.15.45.53 - - [16/Jan/2017:17:55:09 +1100] "POST /xmlrpc.php HTTP/1.0" 200 790 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
51.15.45.53 - - [16/Jan/2017:17:55:09 +1100] "POST /xmlrpc.php HTTP/1.0" 200 790 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)"
Solution:
1 - Add the Layer 7 Rule
Code: Select all
/ip firewall layer7-protocol add comment="Wordpress Hack" name=aaa-xml-rpc regexp="^.+(xmlrpc.php).*\$"
Code: Select all
/ip firewall filter add action=tarpit chain=forward comment="Wordpress xmlrpc.php hack" dst-address=192.168.0.57 in-interface=ISPLink layer7-protocol=aaa-xml-rpc
dst-address = your web server to protect
in-interface = Your ISP connection to the internet
Hope this helps someone.