5 Jul
2013
5 Jul
'13
7:45 a.m.
This is not just a WP issue. About a week ago, I got a notification from my
Joomla site of repeated failed attempts to log in to the admin site. I
looked at the logs and saw that it was from one address, every few seconds
loosely following a pattern of 2 attempts with a password followed by 1
without. coming at a rate of between 2 and 12 seconds apart. I inserted an
iptables rule to block that ip and then investigated it further. It is a
"well-known" address and I set up a chain to log and drop any hits from
that block of addresses. Joomla is quieter now, but the attempts continue
unabated.
As it is just a bot, mindlessly pumping out the hits, would there be any
advantage in changing the DROP to REJECT, hoping that it might stop
annoying me? The hits are all coming from 188.165.243.45 though
ocassionally a few will come from another address in their ranges. I've not
managed to find any ipv6 addresses associated with them or they would be
blocked as well.
On 3 July 2013 13:38, Ian <ian(a)lovingboth.com> wrote:
Dom Latter said:
I'm a bit late but I just thought I'd comment here - it may be no use
--
Keith Williams
Keith's Place www.keiths-place.co.uk
Tailor Made English www.tmenglish.org
West Norfolk RSPCA www.westnorfolkrspca.org.uk
at all against a real attacker but the greatest
threat to most wordpress
sites comes from scripted attacks - which may well assume a default
wp_ prefix. Because it works (for the attacker) well enough.
Hmm, given a firewall preventing access to MySQL from outside the VPS,
they still have to get into the WordPress setup, and that is almost always
going to involve getting into (or making, via a privilege escalation
exploit) an administrator account.
I have changed my WordPress install script to have a different prefix each
time, but I don't think it will actually make any difference, and I am not
going to change the prefix on existing sites.
To avoid getting eaten by the lion, you don't have to run faster than
the lion, just faster than the people around
you.
Up to a point - that works with a lion, but it's not so successful if your
attacker is someone with a machine gun! :)
The current attack on wp-login is more like that. It has been going on for
about a week - I have upped the fail2ban bantime for this to three days,
and they still come back after that.
If it were any better at getting the right account names, I'd be using the
plugin that ensures password quality as well as limiting the rate of login
attempts.
Ian
______________________________**_________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/**mailman/listinfo/users<https://lists.bitfolk…