Author: Keith Williams Date: To: BitFolk Users Subject: Re: [bitfolk] For those hosting WordPress blogs
Daniel,
Thanks. That's an idea
On 5 July 2013 11:24, Daniel Case <danielcase10@???> wrote:
> Keith,
>
> Why not just null route the IP address? Something like this should suffice:
> route add 188.165.243.45 gw 127.0.0.1 lo
>
>
> On 5 July 2013 08:45, Keith Williams <keithwilliamsnp@???> wrote:
>
>> This is not just a WP issue. About a week ago, I got a notification from
>> my Joomla site of repeated failed attempts to log in to the admin site. I
>> looked at the logs and saw that it was from one address, every few seconds
>> loosely following a pattern of 2 attempts with a password followed by 1
>> without. coming at a rate of between 2 and 12 seconds apart. I inserted an
>> iptables rule to block that ip and then investigated it further. It is a
>> "well-known" address and I set up a chain to log and drop any hits from
>> that block of addresses. Joomla is quieter now, but the attempts continue
>> unabated.
>>
>> As it is just a bot, mindlessly pumping out the hits, would there be any
>> advantage in changing the DROP to REJECT, hoping that it might stop
>> annoying me? The hits are all coming from 188.165.243.45 though
>> ocassionally a few will come from another address in their ranges. I've not
>> managed to find any ipv6 addresses associated with them or they would be
>> blocked as well.
>>
>>
>> On 3 July 2013 13:38, Ian <ian@???> wrote:
>>
>>> Dom Latter said:
>>>
>>> I'm a bit late but I just thought I'd comment here - it may be no use
>>>> at all against a real attacker but the greatest threat to most wordpress
>>>> sites comes from scripted attacks - which may well assume a default
>>>> wp_ prefix. Because it works (for the attacker) well enough.
>>>>
>>>
>>> Hmm, given a firewall preventing access to MySQL from outside the VPS,
>>> they still have to get into the WordPress setup, and that is almost always
>>> going to involve getting into (or making, via a privilege escalation
>>> exploit) an administrator account.
>>>
>>> I have changed my WordPress install script to have a different prefix
>>> each time, but I don't think it will actually make any difference, and I am
>>> not going to change the prefix on existing sites.
>>>
>>> To avoid getting eaten by the lion, you don't have to run faster than
>>>> the lion, just faster than the people around you.
>>>>
>>>
>>> Up to a point - that works with a lion, but it's not so successful if
>>> your attacker is someone with a machine gun! :)
>>>
>>> The current attack on wp-login is more like that. It has been going on
>>> for about a week - I have upped the fail2ban bantime for this to three
>>> days, and they still come back after that.
>>>
>>> If it were any better at getting the right account names, I'd be using
>>> the plugin that ensures password quality as well as limiting the rate of
>>> login attempts.
>>>
>>> Ian
>>>
>>> ______________________________**_________________
>>> users mailing list
>>> users@???
>>> https://lists.bitfolk.com/**mailman/listinfo/users<https://lists.bitfolk.com/mailman/listinfo/users>
>>>
>>
>>
>>
>> --
>> Keith Williams
>>
>> Keith's Place www.keiths-place.co.uk >>
>> Tailor Made English www.tmenglish.org >>
>> West Norfolk RSPCA www.westnorfolkrspca.org.uk >>
>>
>>
>>
>> _______________________________________________
>> users mailing list
>> users@???
>> https://lists.bitfolk.com/mailman/listinfo/users >>
>>
>
