Under attack!

Hi to all,
I am currently undergoing a rather severe attack on all my sites.
Ip come from everywhere.
Of course I have fail2ban that keeping watch, but ... You advise me?

Aug 15 19:11:52 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 82.144.159.15
Aug 15 19:12:35 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 180.246.61.50
Aug 15 19:12:46 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 223.205.235.61
Aug 15 19:12:47 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 2.190.105.3
Aug 15 19:12:48 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 223.205.235.61
Aug 15 19:15:48 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 83.149.34.187
Aug 15 19:15:53 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 14.98.19.9
Aug 15 19:16:03 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 2.190.77.39
Aug 15 19:16:04 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 14.98.19.9
Aug 15 19:16:08 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 2.190.77.39
Aug 15 19:16:19 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 91.200.54.4
Aug 15 19:16:38 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 14.98.19.9
Aug 15 19:17:59 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 91.200.54.4
Aug 15 19:18:00 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 91.200.54.4
Aug 15 19:18:30 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 36.76.53.236
Aug 15 19:18:31 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 36.76.53.236
Aug 15 19:18:47 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 36.76.53.236
Aug 15 19:20:10 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 110.39.57.191
Aug 15 19:20:14 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 110.39.57.191
Aug 15 19:20:16 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 110.39.57.191
Aug 15 19:22:17 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 41.141.101.222
Aug 15 19:22:23 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 41.141.101.222
Aug 15 19:22:23 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 41.141.101.222
Aug 15 19:22:39 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 49.49.207.194
Aug 15 19:26:09 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 79.101.168.112
Aug 15 19:29:25 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 180.245.225.192
Aug 15 19:29:45 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 171.5.236.2
Aug 15 19:29:46 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 171.5.236.2
Aug 15 19:29:47 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 171.5.236.2
Aug 15 19:30:43 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 171.5.236.2
Aug 15 19:31:02 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 81.18.133.246
Aug 15 19:31:03 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 81.18.133.246
Aug 15 19:36:21 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 180.246.61.50
Aug 15 19:38:23 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 78.165.34.50
Aug 15 19:39:27 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 46.237.85.76
Aug 15 19:40:11 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 81.90.144.194
Aug 15 19:40:24 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 78.165.34.50
Aug 15 19:40:31 mail wordpress(karmaweb.biz)[11411]: Authentication failure for admin from 178.93.61.26
Aug 15 19:40:39 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 180.245.225.192
Aug 15 19:40:59 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 194.149.63.102
Aug 15 19:41:00 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 78.165.34.50
Aug 15 19:42:35 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 180.245.225.192
Aug 15 19:45:12 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 94.203.164.7
Aug 15 19:45:17 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 46.237.85.76
Aug 15 19:46:30 mail wordpress(karmaweb.biz)[11411]: Authentication failure for karmaweb from 178.93.61.26
Aug 15 19:46:35 mail wordpress(karmaweb.biz)[11411]: Authentication failure for admin from 85.219.212.247
Aug 15 19:48:17 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 37.208.192.31
Aug 15 19:48:25 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 37.208.192.31
Aug 15 19:48:37 mail wordpress(karmaweb.biz)[11411]: Authentication failure for administrator from 37.208.192.31

And it started there in about three hours ...

  • Alexander
    • DEV MAN’s Mascot

    Hi there,

    Are you still experiencing a heavy load? This is likely a botnet attack. It's an automated attempt by a large collection of compromised sites or computers. They usually try to gain access to sites with popular domains to feed off the traffic somehow.

    I would advise making sure your admin account username is not "admin" and changing your password to something very secure. This is really about all it takes to keep them out.

    After a while, fail2ban will ban all the IP addresses, and your site will be over it like a common cold after a good dose of cold medicine. This still won't stop them from attempting to connect but at least they'll be stopped before they can try to make a login attempt.

    Best regards,

  • Timothy
    • Chief Pigeon

    Those DDOS/Bruteforce attempts are a real pain in the ar... posterior!

    You can't always stop them, but there are things server admins can do to distribute the load if it gets real bad.

    Tightening up firewalls and such can help a ton.

    I see many those IPs are from Indonesia, Iran, Thailand, India.

    So, do you want to target those countries, do you have business reasons for this.

    You could geoblock those countries, it's drastic action, and there could be some friendly fire, but it could alleviate much of the issue here. Perhaps give them a denied access header with a form to allow exceptions.

    As I said, that is pretty drastic, I know a couple of companies that do this.

    Take care.

  • lol
    • The Incredible Code Injector

    Hi Alexander,

    Thank you very much for the answer. It's a little scary this kind of adventure.
    My passwords are very complicated no risk of this side.

    I increased the length of the ban and attacks beings seem further apart now.

    The attacks came from the East at first, then it turned to the south of méditéranée.

    This is an amazing experience, I was notified by mail, and at first I could not believe my eyes, the logs were filled at breakneck speed.

    I can only advise everyone to set up a system to banish unwanted, they can be incredibly effective ...

    Thank you for your lmessage, I feel a little less alone!

  • lol
    • The Incredible Code Injector

    Hello Timothy,
    You answered while I was writing (and I'm slow, English is not natural for a poor little French ...).
    I do not like the idea of banning pieces of continents, but if we go again I'd think harder ...
    My server is running Linux, my firewall is well done I think, but it does nothing against this kind of attack.
    I keep active fail2ban, with longer bans rules and stronger bans rules (only two trials). But there is a balance to be maintained between the accessibility and reject the wicked ...

    Thank you for your answer.

  • Decura
    • The Bug Hunter

    @lol

    One of my sites was also under attack today. I can see that every attempt either use Admin or the site name as username. The best solution for this type of attack seems to use a hard to guess username and a solution to limit the login attempts.

    There is just the matter of resource limits, which also might affect you. My hosting provider unfortunately shuts the connection until it is back to a normal level. There is not much to do about this but perhaps change hosting provider.

  • lol
    • The Incredible Code Injector

    Hi Decura,

    Thank you for the feedback.

    I do not have a lot of sites in WP before, only now I discover risks.
    I am fortunate to have a good hosting (and a good solid server) I will look tomorrow, but I do not even think I was cut a minute from the Internet.

    Stay safe folks!

  • Timothy
    • Chief Pigeon

    No, blocking bulk IP address would be an extreme measure. It's only going to work for blocking those countries, if it comes from elsewhere, well it will still happen.

    As I mentioned, I know of some companies that do this.

    The problem with PHP solutions for doing the hard work and processing is that it's more server intensive, it requires more resources. If you could do this at the server level then it would be much more efficient and would help with the load somewhat.

    Take care.

  • slife
    • Site Builder, Child of Zeus

    Hi lol,

    Decura give you a good way to prevent attacks with "wordfence plugin".
    This plugin is very helpfull especially to block countrys IP or login attempts, but some of settings aren't compatible with super-cache plugin.

    Your hosting provider can do something too, they have process to prevent attacks like that and this is the best way. (my hoster is a friend and he did that for me on my server)

    I'm French too, so if you need some help you can contact me, no problem :wink:

    Good luck !

  • Fullworks
    • The Bug Hunter

    I wrote a fail2ban filter to block any attempt at Admin admin Administrator or Administrator at the firewall for a week, at the very first attempt. I lock them out for a week.

    I block about 1,000 of these pointless script attacks a day.

    They aren't really DOS attacks, they are just password guesser, it takes very little resource to block them.

    If you want my fail2ban filter I'll stick them up somewhere.

  • Decura
    • The Bug Hunter

    @Roibot

    Really!? 1,000 attacks per day? That is a lot. Has it been like this for long?

    In my case it actually acts as a DoS attack as it makes the site unavailable to the users. However, this probably only apply to a few hosting providers.

    The right term for this sort of thing is a brute force attack. It is simply a method of trial and error - a password guesser as you say. I'm just wondering how effective it is since we keep seeing it. My assumption is that the attacks would stop or at least decrease significantly if they never gained access to any sites.

  • Fullworks
    • The Bug Hunter

    Each IP address gets locked out on first attempt so its 1,000 IP addresses, I must admit that is pretty much the max, a quiet days will be 60 and a normal days about 2-400.

    I have posted my fail2ban conf files here if any one else is using fail2ban
    http://badlywired.com/technical-stuff/2013/08/15/using-fail2ban-to-stop-wordpress-attacks-on-administrator/

    Wordfence is great if you don't administer your own servers, but obviously fail2ban is better from a performance point of view as it is operating at teh firewall level and hence not using resource within Wordpress to work out who is banned or not.

  • Fullworks
    • The Bug Hunter

    Just to add that the latest version of the fail2ban plugin http://wordpress.org/plugins/wp-fail2ban/

    had a 'blocker' that can hijack specific users (e.g. admin) before any database calls are made, hence reducing impact further, adding a line like define('WP_FAIL2BAN_BLOCKED_USERS','^admin$'); to your wp-config.

    Of course setting up the fail2ban service is required for the plugin to have any impact
    (so for the benefit of others, reading this, isn't a solution that would apply to servers that you don't manage at operating system level e.g. shared hosting accounts)

  • Timothy
    • Chief Pigeon

    Sure, Brute force was used in one of posts, but when flooded like this it's often multiple systems that are using your bandwidth and resources to get into your system.

    They're intention might not be to take you off line, but still it carries all the traits of a DDOS attack (hence why I used that too) with multiple systems, ips, etc, and can take many sites off line, just as was happening a few months back:

    https://premium.wpmudev.org/blog/security-alert-for-wordpress-users/

    I think that was some 90,000+ IPs.

    What I meant from more resources is If you had PHP on top of a apache processing all this and checking long lists of IPs, and connecting with MySQL thousands of time, sure that could use more resources than it just being handled at the server level. There is more software running to process it, more connections to the DB, etc.

    Thanks for sharing ROIBOT, as always it's fantastic to have you here with us! :slight_smile:

  • lol
    • The Incredible Code Injector

    Hi to all,
    Thank you for your feedback and information. This is very interesting.

    The load on my server (despite the number and duration of the attack) was ultimately insignificant.

    It was not a DDoS or other flood but a simple dictionary attack.

    @ Decura: I'll have a look at Wordfence and Better WP Security.

    @ Timothy: You're right for the PHP solution, it cost a lot!
    Interesting link. It says

    It is also recommend to NOT have a username of “admin.”

    But wpscan (script in python) can find the names of all my users in 21 seconds (I'm willing to write a paper about it if it interests the community).

    @ ROIBOT: I'm already using FAIL2BAN & the plugin for WP, it was it who took me out of troubles as easily.
    Have you developed (or help to) the plugin? I'ts really efficient.
    I was a little worried yesterday with the last update of this plugin, but it worked fine.

    @ slife: Salut!
    I am fortunate to be myself the administrator of my server (a dedicated server at OVH), I maintain it myself and I wrote my iptables scripts. Again we must find a balance between protection and accessibility. We need our sites are accessible!

    Actually, I had already trained with wpscan this kind of attack based on a dictionary. On my own sites, with wpscan an attack based on a dictionary containing 200,000 words takes an entire day ...

    Here the number of recent attempts on my Web sites:

    root @ mail: ~ # zcat / var / log / auth * | grep-c "Authentication failure"
    432017

    Thank you for your comments and feedback.

  • Fullworks
    • The Bug Hunter

    @Decura your question made me check back my logwatches
    during August it has been quite sporadic, many days at around just 5 attempts on admin, except
    14th Aug = 2031,
    6th = 448,
    5th=931

    @lol 432017 is a lot, but after how many attempts are you blocking them, and how long are you holding them, if you are blocking after 5 attempts and only holding them in the firewall for 30 minutes then you can reduce that number by using the .conf I use?

  • lol
    • The Incredible Code Injector

    Hi Roibot,

    I let 3 attempts before blocking. I have clients...

    At the begining of the attack, ban was only for ten minutes. I quickly realized that it wasn't enough: attackers came back after 10 minutes. I decided yesterday night (during attack) to ban for a day.

    It was well organized, i counted 2491 unique ip...

  • lol
    • The Incredible Code Injector

    Hi ROIBOT,

    You are right, but I use this kind of passwords:

    gYiATplsiUpa\KD!3Ki#

    3 attemps is not enought to guess it... :wink:

    And about admin account... With WPSCAN I'll find all your users within 30 seconds...
    Give me one of your site I'll try right now...

  • lol
    • The Incredible Code Injector

    Hi ROIBOT,
    It's wordprotected, so no public access, no interest...

    It's more interesting here ...

    ...
    [!] The WordPress 'http://*****wired.com/readme.html' file exists
    ...
    [+] Enumerating usernames ...
    [+] We found the following 5 user/s :
        +----+-------------+-------------+
        | Id | Login       | Name        |
        +----+-------------+-------------+
        | 1  | supe*****   | Badly ***** |
        | 4  | s*****      | s*****      |
        | 5  | t****       | t****       |
        | 6  | myblog***** | myblog***** |
        | 7  | gu***       | gu***       |
        +----+-------------+-------------+

    There is no challenge to find the usernames of a wordpress installation.

    This is why I say it does not make sense to change the name of the administrator.
    Security through obscurity is not security.

    Laurent.

  • lol
    • The Incredible Code Injector

    Out of interest do you know how WPscan finds the user names, without brute force (cause obviously brute force will get locked out)

    There is no need for brute force to find the users, it is very smooth.
    By cons crack passwords is impossible without using force, and that's why fail2ban is so great!

  • Joe
    • Design Lord, Child of Thor

    Hi

    Sorry to hear your site is under some pressure.

    I had the same issue a few months ago and have since started using cloudflare.com - there is a free subscription service so you can try it out for free. The free subscription does not cater for SSL or real time reporting.

    Once setup, you can block entire countries very easily. It also includes a CDN service which should help reduce the load on your server.

    Hope this helps,
    Joe

  • lol
    • The Incredible Code Injector

    Hello,

    WPScan simply enumerate usernames for the WordPress site based on User ID numbers.
    I use it myself on all my WP installation.

    I tried once use the brute force attack (included in Wpscan, based on dictionnary) against my own WP, it took more than one day, witout success.

    @Joe, Thank you very much, I know now that I can sleep like a baby, my dedicated server is shielded against basic attacks.

    Now ... I would not attempt the devil (not sure you can say it in English ...) and I will continue to methodically check my logs.

    I know I'm not protected against attacks on a larger scale, but I'm not the NSA, nobody should waste time with me ... :wink:

  • Decura
    • The Bug Hunter

    @ROIBOT

    It also makes sense that the number of attacks varies. Around 5 attempts a day sounds like something that I experience most days as well.

    @lol

    I set my ban for 60 minutes which was effective for most IP adresses. However, a few of them came back after that period. A couple of hours is probably enough.

  • lol
    • The Incredible Code Injector

    Hello,
    @ROIBOT: Done, WordFence made "partially" its work. :wink:

    @Decura: You're right, but I was fed up with last attack. Generally one or two hours is enough.

    This thread is very interesting, I like it! :slight_smile:

  • Decura
    • The Bug Hunter

    @lol

    Yes, very interesting! I would probably not have heard about fail2ban if it was not for this tread. It seems strange that there are not more discussion emphasis on security. I also started a few threads here in the last month to learn more about the relevant matters.

  • Alexander
    • DEV MAN’s Mascot

    Thanks @ROIBOT! Very cool :slight_smile:

    Great discussion going on here. I'm still an advocate of changing the admin username. True it's obfuscation, but it's very easy to implement, and it does slow down brute force attacks.

    My view on security is that you'll never have a perfect system. Especially when you have multiple platforms and are working with software from many developers. But just do whatever you can to not be the lowest hanging fruit. Unless you're being singled out for any reason, hackers are going to take on the easy targets.

    Just implementing a few basic security measures will put you way ahead of the game.

    Best regards,

  • lol
    • The Incredible Code Injector

    Hi ROIBOT,

    Very nice work, and good control of fail2ban regex!
    I'll try it tomorrow morning.

    I think I'll probably mix it with the already existing fail2ban plugin.

    It would be great to share it on wordpress.org!

    @Alexander: This is a war that will never end. We must just never stop jogging! :slight_smile:
    (And it's good to keep a sharp mind!)

  • lol
    • The Incredible Code Injector

    Hello ROIBOT,

    I've just finished to test your plugin, it works (of course).
    I would suggest a rapprochement with the developer of the existing wp-fail2ban plugin; It would be interesting to include your filter in the existing plugin.

    I'll check my logs very carrefully, as I don't want to ban non-hazardous IP's.

    I explain:
    I have activated a few months ago a fail2ban filter on all my FTP servers.

    I realized that all my sites was loosing their place in Google ... The explanation was simple: Search engines (google "the villain" in particular) have a very bad habit to scan our servers looking for anonymous http://FTP...

    My filter did its job very well, but banished google ...
    So I had to add a filter to not attempt to ban connections to my FTP server for the "anonymous" user (as there is no possibility to connect with this user on my FPT, no worries!).

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.