ModSecurity and XML-RPC?

  • Resolved fotov60

    (@fotov60)


    1 year, 5 months ago

    In the link https://jetpack.com/support/how-to-add-jetpack-ips-allowlist/ I found the following information:

    Allow all Communications Between Jetpack and WordPress.com

    Some hosts and plugins believe that blocking access to xmlrpc.php will stop various hacking attempts. However, XML-RPC support has been built into WordPress core since version 3.5 and is a stable tool. Jetpack, like other plugins, services, and mobile apps, relies on the XML-RPC file to communicate with WordPress.com. If this is blocked, your Jetpack connection will stop working properly.You should be able to protect a site’s XML-RPC file without having to allow specific IP ranges. The most popular hosts use tools like fail2ban or ModSecurity, for example.If you’d prefer to use an allowlist, you’ll need to allow these IP ranges:

    • 122.248.245.244/32
    • 54.217.201.243/32
    • 54.232.116.4/32
    • 192.0.80.0/20
    • 192.0.96.0/20
    • 192.0.112.0/20
    • 195.234.108.0/22

    Important:

    These IP addresses are subject to change. If you are writing IP-based firewall rules, you’ll need to update those rules any time the addresses change. We also have machine-readable versions of these IP ranges in JSON and plain text format that you can use to automate configuration changes on your systems.

    When it says, “You should be able to protect a site’s XML-RPC file without having to allow specific IP ranges. The most popular hosts use tools like fail2ban or ModSecurity, for example,” it means that ModSecurity can allow blocking connections to xmlrpc except for Jetpack’s connections? If so, how would you do it with ModSecurity?In my hosting, there is a security rule that blocks requests to WordPress’ xmlrpc, which only has the option to activate or deactivate it. If it can’t be done with ModSecurity, could you provide a detailed method that allows filtering and keeping the Jetpack IP lists updated to block all other connections attempting to connect to WordPress?

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support Bruce (a11n)

    (@bruceallen)

    Happiness Engineer

    Hi @fotov60

    Since hosting environments vary and ModSecurity is not our product, it’s not something we can reliably guide you on. Your best bet would be to talk to your host about how to do this.

    Thread Starter fotov60

    (@fotov60)

    It could be, but since we use xml-rpc due to your backward compatibility policy, and you yourselves propose it as a possible solution, it would be helpful if you provided that configuration using the means you mentioned, as you are the first ones interested in people continuing to use the Jetpack plugin and subscribing to your paid plans.

    @fotov60 Each web host has a different user interface, so Jetpack is not able to provide specific instructions for thousands of web hosts. Instead, we provide the IP addresses so that you can allowlist them in your web hosting account.

    If you need help with doing something within your web hosting account, you can contact your web host directly for assistance with that. They will be able to provide the exact steps required to allowlist IPs in their user interface.

    Thread Starter fotov60

    (@fotov60)

    But in your instructions says specifically:

    You should be able to protect a site’s XML-RPC file without having to allow specific IP ranges.

    Then provide ips is contradictory with this affirmation. And the problem will be bigger if looks closer an see that ” These IP addresses are subject to change. If you are writing IP-based firewall rules, you’ll need to update those rules any time the addresses change” . If some people will be forced to use an ip whitelist, the minimum is that these ip does not change and have administrators looking permanently to have service workin, dont you agree?

    @fotov60 Your concerns about the changing IP addresses are totally valid. Our IPs haven’t actually changed in a long while, however we make that statement as a disclaimer as we don’t hold ourselves responsible for communicating to users relying on IP whitelisting to give Jetpack access if they do change.

    Also, the line, “You should be able to protect a site’s XML-RPC file without having to allow specific IP ranges,” refers to an ideal scenario, where most hosts should allow general access to the xmlrpc.php file, because many services other than Jetpack, such as mobile apps, rely on XML-RPC to communicate with your site.

    Plugin Contributor Stef (a11n)

    (@erania-pinnera)

    Hi @fotov60,

    It’s been one week since this topic was last updated. I’m going to mark this thread as solved. If you have any further questions or need more help, you’re welcome to open another thread here. Cheers!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘ModSecurity and XML-RPC?’ is closed to new replies.