Keith I Myers – 2015-12-28 11:11:16-0500 – Updated: 2015-12-28 11:11:16-0500Someone is really trying to get on my nerve by slowly brute forcing my website slowly and from multiple IP addresses. They are hitting my site every 2-5 minutes from a different IP address.
While this is not a very effective way to attack a site as it would take decades to do a basic dictionary attack using the most 5,000 used passwords. It is annoying as I have some extensive alerting systems setup.
I have had to resort to a few strange resorts to stop this user. I am not worried about this person gaining access to my site but am just starting to get annoyed.
Without going into too many details, I have multiple layers of security setup on my website to prevent unauthorized access including 2 factor authentication, strong/complex and long passwords that you will not find in a dictionary and perform updates to WordPress/Plugins within hours of the plugins being released.
Someone is really trying to get on my nerve by slowly brute forcing my website slowly and from multiple IP addresses. They are hitting my site every 2-5 minutes from a different IP address.While this is not a very effective way to attack a site as it would take decades to do a basic dictionary attack using the most 5,000 used passwords. It is annoying as I have some extensive alerting systems setup.I have had to resort to a few strange
Shared with: Public, Keith I Myers, Robert Hamilton, Joel Solomon+1’d by: Adam Outler, Chris Radtke, Joseph Cappellino, Kienan Vella, Darko Vršič, Christopher Rios, S BRobert Hamilton – 2015-12-28 11:57:32-0500So I should stop trying “Password123”?Keith I Myers – 2015-12-28 12:10:23-0500+Robert Hamilton – It should be 1234Joel Solomon – 2015-12-28 13:05:15-0500+Keith I Myers that’s what an idiot used for their luggage combinationKeith I Myers – 2015-12-28 13:07:15-0500Liar +Joel Solomon – I distinctly remember using 6969 to get into your suitcase last timeAdam Outler – 2015-12-29 00:07:44-0500That last one was me 😀Tyson C – 2015-12-29 01:00:11-0500So why not save yourself the hassle of even getting attacked by renaming the login page. Problem solved, then you just get 404 errors in your logs, or you could 301 redirect them to www.fbi.gov if they hit that page.Keith I Myers – 2015-12-29 01:10:23-0500I am not a huge fan of “security through obscurity” and have taken several other precautions to prevent attacks. Not only do I have 2 Factor Authentication, Login Alerts, Insanely Strong Passwords and a few other tricks that need to be bypassed such as all logins from my account can only be done through a few whitelisted ip addresses. I also reset the WP salts weekly and change my passwords (for all sites) at least every 90-120 days.
This person was not even close to getting in, I was never worried about that. I was just getting annoyed because of my proactive logging.
Most WordPress attacks are not even done via brute force logins rather exploiting a badly coded plugin so renaming the login page is not super effective. It is also fairly trivial to find the login page. Renaming things can also break a few things that I use for external management features.Adam Outler – 2015-12-29 10:08:18-0500There’s no shame in adding security by obscurity. It’s just a security customization. Use apache mod_proxy to redirect requests and mod_rewrite to remove access to the original URL. That way your server software stays stock.
I had over 2000 bots attacking common SSH names every day. I changed my port. Now reviewing logs is much easier without all the bot clutter.Steve Albright – 2015-12-29 11:53:24-0500Just block all from wp-admin in htaccess until you need to login next… Temp fix 🙂Adam Outler – 2015-12-29 12:14:37-0500https://en.m.wikipedia.org/wiki/Defense_in_depth_(computing)