Hi,
Just looking for anyone else's experience in this.
I have perhaps 30 Wordpress sites which, either recently, or simply showing up recently because of the new web application rules from ASL, are experiencing multiple failed login attempts from outside sources.
These are distributed by source and by destination - i.e. no IP attacks twice, even on a different domain
The ASL rules are alerting to this and the brute-force rule shuns repeated offenders, but is this sufficient?
I could raise 377306 to level 7 and shun all failed logins immediately, but then risk the onslaught of customer contacts as they are shunned when they enter their password in wrong.
Anyone else seeing this? And perhaps overcome it?
Thanks
Many Wordpress "Login Failure Detected" (Rule 377306)
Re: Many Wordpress "Login Failure Detected" (Rule 377306)
No-one else came across this? Or is it just something everyone's happy to allow ASL to do it's thing on?
Re: Many Wordpress "Login Failure Detected" (Rule 377306)
What's happening is that a botnet is being used to initiate the logins. This causes them to be from a number of different IPs. We see this a lot. It seems to be the latest stratergy to avoid the simple "fail2ban" sort of blocking.
It isn't just wordpress. They do the same thing for email and FTP. And no doubt other types of common script. We mitigate it by blocking south america, eastern europe and the far east at the firewall level - these are the places most of the IPs are for the botnets that target our machines.
The problem is simply that if each IP is different, you can't do anything about it other than prevent logins to the site from all IPs, which would not be good because the admin would then be unable to login.
The solution is simple. 1) Make the password un-guessable and 2) potentially use .htaccess to add a first-level block on the admin directory 3) if the script allows it, don't use common usernames like admin for the admin user.
It isn't just wordpress. They do the same thing for email and FTP. And no doubt other types of common script. We mitigate it by blocking south america, eastern europe and the far east at the firewall level - these are the places most of the IPs are for the botnets that target our machines.
The problem is simply that if each IP is different, you can't do anything about it other than prevent logins to the site from all IPs, which would not be good because the admin would then be unable to login.
The solution is simple. 1) Make the password un-guessable and 2) potentially use .htaccess to add a first-level block on the admin directory 3) if the script allows it, don't use common usernames like admin for the admin user.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Many Wordpress "Login Failure Detected" (Rule 377306)
Thanks Faris, yeah - I assumed a botnet.
I'll look into geo-blocking for the most common areas.
Don't think that should effect any clients...
As for the other tips - thanks - but the buck lies with the end-user's details.
I always configure accounts with secure passwords, but with their ability to change the password to something more memorable (i.e. guessable!), I wouldn't trust them!
The .htaccess idea is a good one too... will just need to figure out which would be the least noticeable and least work/confusion for clients.
I'll look into geo-blocking for the most common areas.
Don't think that should effect any clients...
As for the other tips - thanks - but the buck lies with the end-user's details.
I always configure accounts with secure passwords, but with their ability to change the password to something more memorable (i.e. guessable!), I wouldn't trust them!
The .htaccess idea is a good one too... will just need to figure out which would be the least noticeable and least work/confusion for clients.
-
- Forum User
- Posts: 26
- Joined: Fri Feb 17, 2012 3:37 am
- Location: Spain
Re: Many Wordpress "Login Failure Detected" (Rule 377306)
Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?
One of the big issues is that there are ALOT amateur web designers out there posing as "professional" wordpress developers without any idea of wordpress security so they simply set up wordpress out of the box with the "admin" username etc.
Then the sites are getting hacked and they are pointing the finger at us saying our server is not secure!!!
One of the big issues is that there are ALOT amateur web designers out there posing as "professional" wordpress developers without any idea of wordpress security so they simply set up wordpress out of the box with the "admin" username etc.
Then the sites are getting hacked and they are pointing the finger at us saying our server is not secure!!!
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Many Wordpress "Login Failure Detected" (Rule 377306)
When you say greylisting, do you mean shunning or something else?Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
-
- Forum User
- Posts: 26
- Joined: Fri Feb 17, 2012 3:37 am
- Location: Spain
Re: Many Wordpress "Login Failure Detected" (Rule 377306)
I am not sure what "shunning" means but if they could be blocked for 30 minutes or some period of time, that would be good.mikeshinn wrote:When you say greylisting, do you mean shunning or something else?Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Many Wordpress "Login Failure Detected" (Rule 377306)
Thats what shunning means. The default is 10 minutes, you can certainly increase that or even disable expiration completely.