🔒️ Disable xmlrpc by default

[retlehs]

This PR disables xmlrpc.php by default

[dalepgrant]

Funny. I spent yesterday checking this out after seeing increased activity on a few of our servers. There is also https://github.com/ItinerisLtd/trellis-disable-xml-rpc. I do like being able to set this per site though as this PR implements

[retlehs]

There's also some new-ish fail2ban rules you can enable FYI:

trellis/group_vars/all/security.yml

Lines 16 to 22 in 5e47bd9

	# Enable built-in fail2ban services or add your own custom ones
	fail2ban_services_custom:
	- name: wordpress_xmlrpc
	filter: wordpress-xmlrpc
	enabled: "false"
	port: http,https
	logpath: "{{ www_root }}/**/logs/access.log"

[dalepgrant]

There are, thanks Ben 🙏 that's where we ended up yesterday with a todo to look into completely disabling it today/next week. Gotta check all the sites aren't using it first though, AFAIK JetPack still uses it. Top of my head I think we're good as it's not a plugin we'd normally use but a blanket ban without checking is probably a bad idea. Probably.

Edit: added link to related discourse post

[swalkinshaw]

Jetpack using this makes me slightly iffy about disabling it by default, but probably in favour anyway. Regardless, better to have the option built in.

[PDowney]

Jetpack does still use this, but you can whitelist their IP address ranges:

https://jetpack.com/support/how-to-add-jetpack-ips-allowlist/
It would look something like this:

    # Whitelist Jetpack IP ranges
    allow 122.248.245.244/32;
    allow 54.217.201.243/32;
    allow 54.232.116.4/32;
    allow 192.0.80.0/20;
    allow 192.0.96.0/20;
    allow 192.0.112.0/20;
    allow 195.234.108.0/22;

    # Deny all other requests
    deny all;
   }

[strarsis]

@PDowney: Thanks! So when Jetpack is used, xmlrpc.enabled is set to true and the fail2ban rules you are listing are added instead, correct? This enables xmlrpc globally, but restricts it on the hosts level.

[swalkinshaw]

That seems correct to me 👍