My Site is under heavy brute force attack

Hello,

For past 36 hours my site has been under attack for the username admin. I have changed login page, extended the lockout till 5 hours and made a block whenever anyone tries to login with admin username.

For the first 12 hours, there were less than 5 bans in which IP was not recorded as the site was only banning ip for 15 mins and it gave user 5 chances.

I saw it and didn't get serious but just tightened the security and i got over 40 attacks from different IPs. Each Ip is banned immediately after trying to login with the username but still...

Its really like spamming on me. The site was getting attack continuously 10 times like 11 hours ago and the attacks got slowed for 1 hour one attack.

is there a possible way to block this. I don't mind of the hacker hacking into the 'Admin' username account but getting noticed to this attack is hard. The ips are from different countries and some have sites hosted on it which seems fake and some are adult sites.

Here is a IP List,

195.154.178.51
217.147.85.95
182.160.155.72
193.255.83.100
109.228.18.144
185.28.22.76
72.229.33.46
95.110.145.224
182.160.155.72
37.139.19.122
199.201.88.64
125.212.220.77
95.110.145.224
195.154.178.51
217.160.235.116
141.101.105.219
185.28.22.76
217.147.85.95
207.58.135.162
216.70.90.99
74.208.111.148
92.60.123.168
198.89.122.74
166.78.169.147
213.229.121.124
129.121.182.100
162.42.239.248
93.189.94.143
195.154.117.65
23.253.90.79
37.187.37.199
133.242.22.177
209.148.90.10
82.165.143.210
216.70.107.236

ALL IPS ARE LINKED TO www.ip-adress.com JUST INCASE IF YOU WANT TO CHECK.

I am using Wordpress with IThemes Security.

 

This is why so many word press sites get hacked. Not changing the default admin username.

They will give up eventually

 

In my case admin username doesn't exists but i just created a account with subscriber permission. Anyone trying to login as admin with the right password will be locked out as well, including myself. My super admin user and pass are both randomly generated characters and it will take a person years to find both combination right through brute-force attacks

My problem here is how to ban this ips from getting into the site. they use up my bandwidths

And I posted the ips out as people who can sumbit it to big blacklist sites can sumbit them too

125.212.220.77

One more IP when i was busy posting

 

https://wordpress.org/plugins/ip-address-blocker/ that may help a bit but you should keep in mind these types of things are automated.

I am getting 50 a day from folks trying to break into my VPS. The odd thing is out of 1000's they have yet to even guess a user name so its a complete waste of their time.

I have also been using this for wordpress with 100% success https://wordpress.org/support/plugin/theme-my-login

hope that helps,

Nigel

 

I was just going to post the same plugin URL

 

Heh, its really not hard to lock down wordpress but it seems easier when done out of necessity. Folks don't take action until stuff has been hacked.

Nigel

 

Yup most of them. I had my security weak before this, because I was sure that no one can find combination of both username and password for atleast some years

I will try the plugins

 

We can find that WordPress is mostly used on internet but there is also major possibility that it will get hacked soon. Its compulsory for everybody to keep WordPress updated and this will help them to get protected from attacks. The passwords should be strong enough with combination of several characters and special symbols.

 

There are several WordPress admin brute-force bots going around.

If you are the only person who logins into the admin, block wp-login.php to all but your IP address in htaccess. Replace xxx.xxx.xxx with your IP.

ErrorDocument 403 "403"
<Files ~ "^wp-login.php">
Order allow,deny
Deny from all
Allow from xxx.xxx.xxx 
Satisfy All
</Files>

Code (markup):

If there are reasons you cannot do that -- don't have a dedicated IP, for example -- change the WP admin login URL (search for "rename WordPress login" in WP plugins) and then block access to wp-login.php.

Some of these bots will continue to hit the site for hours on end despite the block, so the ErrorDocument 403 "403" line reduces the resources consumed by the attack to a negligible amount.

 

Mine is dynamic IP. My biggest drawback in every kind of site i own

Thats ok, increased lock out period for ips up to 1440 mins and the ips listed above are blocked forever. less than 2 attacks a day now.

 

You also try to use captcha in login.

 

These WP and joomla brute force attempts have got crazy lately. Ive seen them on many servers. One thing that does work is using some mod security rules, there are a few different ones out there to use, and then setup CSF to ban on mod sec alerts, That will eventually get it cleared up. Amazing how even in this age, just a few ips can kill a server with php executions. You really gotta prepare for it or you will have outages

 

We recommend you disable all security plugins (they read and write to the database heavily) and do the following:

1. Install "Limit Login Attempts" and set it to a low number (2-5 tries before lock out per IP).
2. Temporarily lock out all IP's except yours for wp-login.php
2A. Create a .htaccess file in /wp-admin/ and insert the following.

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x (your IP address here)
deny from all

2. If it's a VPS file a ticket at TransNOC.com/open and we'll help you setup Fail2Ban and/or CSF on your server.
2. Deny requests from those with no valid referrers in htaccess:

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) httpX://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

Change example.com to your domain, and remove X from http.

 

The mod security rules for the wp brute work well. We had a huge problem with this until I set it up. You do a good base ruleset like the comodo waf and then you use csf and make sure you have it to block on like 10 modsec failures

Here is the single rule for the wp brute, put it in a config file and include from httpd.conf

The modsec rules for joomla brute force are in the comodo waf by default.

<IfModule mod_security2.c>
        # This has to be global, cannot exist within a directory or location clause . . .
        SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
        <Location /wp-login.php>
                # Setup brute force detection.

                # React if block flag has been set.
                SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

                # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
                SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
                SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
                SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
       </location>
</IfModule>

Code (markup):

 

You must update your word press site regularly. This will help your website to protect from attacks. The password must contain special character so that anyone could not be crack easily.