Ticket #887 (new maintenance)

Opened 12 months ago

Last modified 12 months ago

Lot's of failed logins on conference15.transitionnetwork.org

Reported by: sam Owned by: ade
Priority: minor Milestone: Maintenance
Component: Parrot server Keywords:
Cc: chris Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.15

Description

Hi all

Overnight I had 150 notifications of failed login attempts and subsequent IP address bans from the https://en-gb.wordpress.org/plugins/wordfence/ security plugin I installed.

It's coming from multiple IP addresses in multiple countries.

It seems like Wordfence is doing it's job and blocking IP's. I only mention it as I'm wondering if it could be related to the recent downtime.

Feel free to close this ticket, just thought it was worth sticking in here.

Thanks

Sam

Change History

comment:1 Changed 12 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 0.0 to 0.15

There are a *lot* of botnets trying to brute-force WordPress admin accounts...

There is a script, wp-brute-force on the server which greps the last 500 lines of the access logs for brute force login attempts, when IP's have more than a handful they can be manually blocked using the ipdrop script, which then logs the action to /root/Changelog, eg:

sudo -i
wp-brute-force 
IP addresses accessing wp-login.php more than twice for the last 500 lines of each access.log:
    476 62.210.106.89
ipdrop 62.210.106.89

Adds this to /root/Changeloog:

2015-12-04      chris
        *       62.210.106.89 : dropped

I'd very much like to rebuild ParrotServer with a newer version of Debian and the Webarchitects hosting scripts as these support Let's Encrypt, Piwik (adding accounts and installing the wp-piwik plugin automatically), the WordPress stop-xmlrpc-attack plugin and also fail2ban for WordPress and phpMyAdmin, see also ticket:875 and ticket:851.

Last edited 12 months ago by chris (previous) (diff)
Note: See TracTickets for help on using tickets.