5 Jul
2013
5 Jul
'13
10:24 a.m.
Keith,
Why not just null route the IP address? Something like this should suffice:
route add 188.165.243.45 gw 127.0.0.1 lo
On 5 July 2013 08:45, Keith Williams <keithwilliamsnp(a)gmail.com> wrote:
This is not just a WP issue. About a week ago, I got a
notification from
my Joomla site of repeated failed attempts to log in to the admin site. I
looked at the logs and saw that it was from one address, every few seconds
loosely following a pattern of 2 attempts with a password followed by 1
without. coming at a rate of between 2 and 12 seconds apart. I inserted an
iptables rule to block that ip and then investigated it further. It is a
"well-known" address and I set up a chain to log and drop any hits from
that block of addresses. Joomla is quieter now, but the attempts continue
unabated.
As it is just a bot, mindlessly pumping out the hits, would there be any
advantage in changing the DROP to REJECT, hoping that it might stop
annoying me? The hits are all coming from 188.165.243.45 though
ocassionally a few will come from another address in their ranges. I've not
managed to find any ipv6 addresses associated with them or they would be
blocked as well.
On 3 July 2013 13:38, Ian <ian(a)lovingboth.com> wrote:
Dom Latter said:
I'm a bit late but I just thought I'd comment here - it may be no use
--
Keith Williams
Keith's Place www.keiths-place.co.uk
Tailor Made English www.tmenglish.org
West Norfolk RSPCA www.westnorfolkrspca.org.uk
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
at all against a real attacker but the greatest
threat to most wordpress
sites comes from scripted attacks - which may well assume a default
wp_ prefix. Because it works (for the attacker) well enough.
Hmm, given a firewall preventing access to MySQL from outside the VPS,
they still have to get into the WordPress setup, and that is almost always
going to involve getting into (or making, via a privilege escalation
exploit) an administrator account.
I have changed my WordPress install script to have a different prefix
each time, but I don't think it will actually make any difference, and I am
not going to change the prefix on existing sites.
To avoid getting eaten by the lion, you don't have to run faster than
the lion, just faster than the people around
you.
Up to a point - that works with a lion, but it's not so successful if
your attacker is someone with a machine gun! :)
The current attack on wp-login is more like that. It has been going on
for about a week - I have upped the fail2ban bantime for this to three
days, and they still come back after that.
If it were any better at getting the right account names, I'd be using
the plugin that ensures password quality as well as limiting the rate of
login attempts.
Ian
______________________________**_________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/**mailman/listinfo/users<https://lists.bitfolk…