Protect Against Brute-force/Proxy Login Attacks
For the past week, I’ve been monitoring activity from a set of IP addresses involved with brute-force login attacks. Brute-force login attacks involve systematic guessing of passwords using various common usernames such as “admin” and “username”. So for example, an attack will target an array of sites, use “admin” as the username, and then make numerous attempts at “guessing” your password. And to obfuscate their malicious activity, the attack is executed from multiple IP addresses, either via proxy or possibly a botnet.
There are some good plugins and scripts that protect your login page against brute-force attacks, but some of them do so by blocking the attacker’s IP address. For example, if someone or something makes 10 unsuccessful login requests, a login-protection script may automatically block the associated IP address and thwart the attack. So by using multiple IPs, the attacker increases the number of “undetected” login attempts and decreases the likelihood of getting blocked.
Best protection against bruteforce attacks
The best protection of course is to choose strong passwords and change them regularly. With strong passwords, the chance of a successful brute-force login-attack decreases to virtually zero. And, if you’re heavily targeted (or just paranoid), additional measures may be taken to protect against login attacks. Setting up secondary HTTP password protection is an excellent way to further lock things down. Either of these strategies should protect your site against brute-force attacks, but we can do even more with a bit of .htaccess.
Specific protection for a recent bruteforce/proxy threat
Most brute-force login attacks target a general collection of websites, using common usernames such as the dreaded “admin”. For example, I’ve been monitoring a recent wave of brute-force/proxy login attacks targeting a variety of different sites. By using “admin” as the username, they’re not even in the ballpark, so it’s most likely not a specifically targeted attack.
Scanning the server logs, I’m seeing an increase in the number of failed login attempts for an array of sites. Someone’s trying to get in, and they’re using multiple IPs to make the requests. At first I wasn’t sure how many different IPs were involved, but there were literally so many requests that I began noticing a pattern of similar IPs. So I began logging the different IPs associated with this recent wave of brute-force login attacks.
After two weeks enduring and monitoring the attacks, the botnet seems comprised of the following IP addresses:
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
Each of these IPs continues to attempt brute-force login attacks, and may be blocked with the following slice of .htaccess:
# 2012 bruteforce botnet <limit GET POST PUT> Order Allow,Deny Allow from all Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 </limit>
When placed in the .htaccess file in either the root directory or the directory housing your login page(s), this tasty slab of
Deny directives will block this recent bruteforce proxy or botnet from even accessing your pages. It’s entirely plug-n-play — no editing required. Just remember to remove this “mini-blacklist” at some point in the future, as IPs and malicious activity tend to change over time.
Note If any of these IPs belong to anyone reading this, your machine is either hacked or a proxy server and is being used for malicious intent on the Internets.
I have a few WP sites and had to take some serious steps as I installed Login Attempts and some activity plugin and checked the username was 90% ‘admin’ and 10% ‘lmbellclyd’.
Thanks for the IP addresses.
The idiots hitting my server are an entirely different set of IP addresses. My wp-login.php is set to automatically add their IP address to the .htaccess.
Oh yes, they use milllionz of different IPs no doubt, this was just one example of how to block using some real, recent data. Plugins that block based on individual IPs work fine, but as mentioned allow for more login attempts before actually stopping a particular brute-force attack.
I prefer to use the Wordfence plugin which alerts you to repeated login attempts so you can easily block the I.P’s. No need to add them to your .htaccess.
This plugin tracks all I.P addresses so its easy to block any and it also includes limit login attempts and m any of security features.
Having just a personal site with wordpress and another with codeigniter I do the following
1.Install ZB Blockfor php sites
2. of course follow good security practices for logins as noted on Jeff’s site here(the “G series”)
3. Go to ipinfobd and get the IP ranges of any and all countrys I want to block and put that in my .htaccess file. I find that helps stop a great many attacks
4. Check any passwords I generate at GRC for strength
Another protection step, i was thinking of making is implementing another field as a secondary password which basically has a 18 character filed with strong password generated by strongpasswordgenerator.com You wont be able to remember it but it will sure not be that easy to hack, plus you will have to save it somewhere and copy paste it every time you want to login.
But talking about wordpress except the G5-G6 techniques discussed here you can do the following.
Excellent tips, Igor! I agree completely, and would add to change passwords often (or as often as possible) :-)
Please update your list with these Ip’s. So It least others can be updated. These IP’s are involved in Brute-force attacks on my server. I had blocked them. Others are recommended to block these IP’s to safe guard their WordPress based installations. All of these IP’s tried to penetrate using admin user name.Not having admin user name is a good idea. But complete blocking junk traffic is wise idea.Hope this helps.
#Kimsuffi Network hacks are banned
Alok Tiwari I dont know about brute force attacks but I can tell you everyone of those IP’s except one are big hitters on the Stop Forum Spam database as well.
In addition to Jeffs block list I also compare IP’s against the SFS block list
I usually banned those IPs using “Better WP Security” plugin setting a longer time stamp.
Am I depend on this or should I also put those IPs in .htaccess?
Nope, if you’ve got ’em blocked via a plugin, no need to also block via .htaccess :)
Deny from 190.220.229
Deny from 66.85.162
Deny from 89.233.216
Deny from 78.154.105
Deny from 89.233.216
Deny from 173.38.155
Trouble is they are not complete IP’s, and maybe some who are not bad, will get blocked :(