Ticket #887 (new maintenance)
Lot's of failed logins on conference15.transitionnetwork.org
| Reported by: | sam | Owned by: | ade |
|---|---|---|---|
| Priority: | minor | Milestone: | Maintenance |
| Component: | Parrot server | Keywords: | |
| Cc: | chris | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 0.15 |
Description
Hi all
Overnight I had 150 notifications of failed login attempts and subsequent IP address bans from the https://en-gb.wordpress.org/plugins/wordfence/ security plugin I installed.
It's coming from multiple IP addresses in multiple countries.
It seems like Wordfence is doing it's job and blocking IP's. I only mention it as I'm wondering if it could be related to the recent downtime.
Feel free to close this ticket, just thought it was worth sticking in here.
Thanks
Sam
Change History
Note: See
TracTickets for help on using
tickets.
There are a *lot* of botnets trying to brute-force WordPress admin accounts...
There is a script, wp-brute-force on the server which greps the last 500 lines of the access logs for brute force login attempts, when IP's have more than a handful they can be manually blocked using the drop-ip script, which then logs the action to /root/Changelog, eg:
sudo -i wp-brute-force IP addresses accessing wp-login.php more than twice for the last 500 lines of each access.log: 476 62.210.106.89 ipdrop 62.210.106.89Adds this to /root/Changeloog:
2015-12-04 chris * 62.210.106.89 : droppedI'd very much like to rebuild ParrotServer with a newer version of Debian and the Webarchitects hosting scripts as these support Let's Encrypt, Piwik (adding accounts and installing the wp-piwik plugin automatically), the WordPress stop-xmlrpc-attack plugin and also fail2ban for WordPress and phpMyAdmin, see also ticket:875 and ticket:851.