Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Ban bruteforce attempts
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Ban bruteforce attempts

Hi.

I have a vps with nginx + php-fpm + wordpress. /wp-login.php receives about 3 POST requests per second. There are 2 issues I'd like to address: server load, which is ~0.70 instead of usual ~0.10, and user accounts security.

The attack is distributed. Today:

# grep wp-login /var/log/nginx/site.access.log | sort | awk '{print $1}' | uniq | wc -l
917

Yesterday:

# grep wp-login /var/log/nginx/site.access.log.1 | sort | awk '{print $1}' | uniq | wc -l
2159

While only admins are usually logged in.

Any ideas how to ban these requests?

Comments

  • Not sure how to do it at server level but using reCaptcha seems to keep my login forms safe.

  • if you're using wordpress you can install this plugin:
    http://wordpress.org/plugins/wp-fail2ban/

    this will write wordpress login attempts to auth.log, meaning fail2ban will ban the brute forcing ip's. (you need to install fail2ban too ofcourse)

  • @ditrone said:
    if you're using wordpress you can install this plugin:
    http://wordpress.org/plugins/wp-fail2ban/

    May take a look at that, thanks!

  • WordPress Bullet Proof Security is good too.

  • WordPress Bullet Proof Security use .htaccess - nginx problem.

  • nocomnocom Member
    edited September 2013

    simple http://www.bad-neighborhood.com/login-lockdown.html
    description:
    Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.

  • bdtechbdtech Member
    edited September 2013

    Throw up an htaccess auth user/pw prompt for wp-login.php. Problem solved, you can even use some simple username and password

  • smansman Member
    edited September 2013

    Most effective and simplest solution to this imho is to set up a plugin that adds an additional login delay for each successive wrong attempt.

    I don't use wordpress but I would be surprised if there wasn't a plugin that does this like there is for drupal.

    I'm not a big fan of fail2ban. Unless you use it every day the filtering is kind of crude, proprietary and a bit tricky to set up. Filtering quite often get's broken after application updates with no errors generated. So I have found attacks end up no longer blocked without my knowledge. I only use it for ssh and sometimes for a couple other things but that is because I use that every day so I took the time to get the filtering set up the way I need it.

  • You may also use fail2ban to analyze webserver log.

    Normal visit to login page leaves
    GET ... 200

    Successful login leaves
    POST ... 302

    Failed login leaves
    POST ... 200

Sign In or Register to comment.