Keith,
Why not just null route the IP address? Something like this should suffice:
route add 188.165.243.45 gw 127.0.0.1 lo
On 5 July 2013 08:45, Keith Williams <keithwilliamsnp@???> wrote:
> This is not just a WP issue. About a week ago, I got a notification from
> my Joomla site of repeated failed attempts to log in to the admin site. I
> looked at the logs and saw that it was from one address, every few seconds
> loosely following a pattern of 2 attempts with a password followed by 1
> without. coming at a rate of between 2 and 12 seconds apart. I inserted an
> iptables rule to block that ip and then investigated it further. It is a
> "well-known" address and I set up a chain to log and drop any hits from
> that block of addresses. Joomla is quieter now, but the attempts continue
> unabated.
>
> As it is just a bot, mindlessly pumping out the hits, would there be any
> advantage in changing the DROP to REJECT, hoping that it might stop
> annoying me? The hits are all coming from 188.165.243.45 though
> ocassionally a few will come from another address in their ranges. I've not
> managed to find any ipv6 addresses associated with them or they would be
> blocked as well.
>
>
> On 3 July 2013 13:38, Ian <ian@???> wrote:
>
>> Dom Latter said:
>>
>> I'm a bit late but I just thought I'd comment here - it may be no use
>>> at all against a real attacker but the greatest threat to most wordpress
>>> sites comes from scripted attacks - which may well assume a default
>>> wp_ prefix. Because it works (for the attacker) well enough.
>>>
>>
>> Hmm, given a firewall preventing access to MySQL from outside the VPS,
>> they still have to get into the WordPress setup, and that is almost always
>> going to involve getting into (or making, via a privilege escalation
>> exploit) an administrator account.
>>
>> I have changed my WordPress install script to have a different prefix
>> each time, but I don't think it will actually make any difference, and I am
>> not going to change the prefix on existing sites.
>>
>> To avoid getting eaten by the lion, you don't have to run faster than
>>> the lion, just faster than the people around you.
>>>
>>
>> Up to a point - that works with a lion, but it's not so successful if
>> your attacker is someone with a machine gun! :)
>>
>> The current attack on wp-login is more like that. It has been going on
>> for about a week - I have upped the fail2ban bantime for this to three
>> days, and they still come back after that.
>>
>> If it were any better at getting the right account names, I'd be using
>> the plugin that ensures password quality as well as limiting the rate of
>> login attempts.
>>
>> Ian
>>
>> ______________________________**_________________
>> users mailing list
>> users@???
>> https://lists.bitfolk.com/**mailman/listinfo/users<https://lists.bitfolk.com/mailman/listinfo/users>
>>
>
>
>
> --
> Keith Williams
>
> Keith's Place www.keiths-place.co.uk
>
> Tailor Made English www.tmenglish.org
>
> West Norfolk RSPCA www.westnorfolkrspca.org.uk
>
>
>
>
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
>
