This is not just a WP issue. About a week ago, I got a notification from my Joomla site of repeated failed attempts to log in to the admin site. I looked at the logs and saw that it was from one address, every few seconds loosely following a pattern of 2 attempts with a password followed by 1 without. coming at a rate of between 2 and 12 seconds apart. I inserted an iptables rule to block that ip and then investigated it further. It is a "well-known" address and I set up a chain to log and drop any hits from that block of addresses. Joomla is quieter now, but the attempts continue unabated.
 
As it is just a bot, mindlessly pumping out the hits, would there be any advantage in changing the DROP to REJECT, hoping that it might stop annoying me? The hits are all coming from 188.165.243.45 though ocassionally a few will come from another address in their ranges. I've not managed to find any ipv6 addresses associated with them or they would be blocked as well.


On 3 July 2013 13:38, Ian <ian@lovingboth.com> wrote:
Dom Latter said:

I'm a bit late but I just thought I'd comment here - it may be no use
at all against a real attacker but the greatest threat to most wordpress
sites comes from scripted attacks - which may well assume a default
wp_ prefix.  Because it works (for the attacker) well enough.

Hmm, given a firewall preventing access to MySQL from outside the VPS, they still have to get into the WordPress setup, and that is almost always going to involve getting into (or making, via a privilege escalation exploit) an administrator account.

I have changed my WordPress install script to have a different prefix each time, but I don't think it will actually make any difference, and I am not going to change the prefix on existing sites.

To avoid getting eaten by the lion, you don't have to run faster than
the lion, just faster than the people around you.

Up to a point - that works with a lion, but it's not so successful if your attacker is someone with a machine gun! :)

The current attack on wp-login is more like that. It has been going on for about a week - I have upped the fail2ban bantime for this to three days, and they still come back after that.

If it were any better at getting the right account names, I'd be using the plugin that ensures password quality as well as limiting the rate of login attempts.

  Ian

_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users



--
Keith Williams
 
Keith's Place  www.keiths-place.co.uk
 
Tailor Made English   www.tmenglish.org
 
West Norfolk RSPCA www.westnorfolkrspca.org.uk