Hello,

what are good modsecurity rules to block xmlrpc bots?

So far i found these:

#Block XMLRPC accessed with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:4784627,nolog,chain,msg:'xmlrp c request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "xmlrpc.php"
# Block XMLRPC.php access entirely
SecRule REQBODY_ERROR "!@eq 0" \
"id:219241,chain,msg:'XMLRPC.php deny||%{tx.domain}|%{tx.mode}|2',phase:2,deny,stat us:403,log,rev:2,severity:2,tag:'Protocol'"
SecRule REQUEST_HEADERS:Content-Type "^text/xml$" \
"chain,t:none,t:lowercase"
SecRule REQUEST_FILENAME "@endsWith xmlrpc.php" \
"t:none,t:lowercase"
I assume only one rule should be used where the second rule is more strict - blocks all xmlrpc visitors. xmlrpc is usually not necessary for website to work and it is usualy not used.