Latest TweetsGreat post about the latest power grab: www.eff.org/deeplinks/2018/09/…
Perishable Press

Protect Against Brute-force/Proxy Login Attacks

[ Solomon Grundy of the Legion of Doom ] For the past week, I’ve been monitoring activity from a set of IP addresses involved with brute-force login attacks. Brute-force login attacks involve systematic guessing of passwords using various common usernames such as “admin” and “username”. So for example, an attack will target an array of sites, use “admin” as the username, and then make numerous attempts at “guessing” your password. And to obfuscate their malicious activity, the attack is executed from multiple IP addresses, either via proxy or possibly a botnet.

There are some good plugins and scripts that protect your login page against brute-force attacks, but some of them do so by blocking the attacker’s IP address. For example, if someone or something makes 10 unsuccessful login requests, a login-protection script may automatically block the associated IP address and thwart the attack. So by using multiple IPs, the attacker increases the number of “undetected” login attempts and decreases the likelihood of getting blocked.

Best protection against bruteforce attacks

The best protection of course is to choose strong passwords and change them regularly. With strong passwords, the chance of a successful brute-force login-attack decreases to virtually zero. And, if you’re heavily targeted (or just paranoid), additional measures may be taken to protect against login attacks. Setting up secondary HTTP password protection is an excellent way to further lock things down. Either of these strategies should protect your site against brute-force attacks, but we can do even more with a bit of .htaccess.

Specific protection for a recent bruteforce/proxy threat

Most brute-force login attacks target a general collection of websites, using common usernames such as the dreaded “admin”. For example, I’ve been monitoring a recent wave of brute-force/proxy login attacks targeting a variety of different sites. By using “admin” as the username, they’re not even in the ballpark, so it’s most likely not a specifically targeted attack.

Scanning the server logs, I’m seeing an increase in the number of failed login attempts for an array of sites. Someone’s trying to get in, and they’re using multiple IPs to make the requests. At first I wasn’t sure how many different IPs were involved, but there were literally so many requests that I began noticing a pattern of similar IPs. So I began logging the different IPs associated with this recent wave of brute-force login attacks.

After two weeks enduring and monitoring the attacks, the botnet seems comprised of the following IP addresses:

2.112.195.83
24.37.22.114
24.199.189.66
37.153.192.49
64.61.155.42
78.32.129.58
79.39.183.124
80.35.16.63
83.70.178.60
90.182.73.81
94.113.137.129
145.253.122.66
131.109.59.90
151.8.12.213
188.13.39.226
188.219.193.186
212.121.116.65
212.183.165.15
217.7.249.243
217.111.161.229
217.128.175.91

Each of these IPs continues to attempt brute-force login attacks, and may be blocked with the following slice of .htaccess:

# 2012 bruteforce botnet
<limit GET POST PUT>
	Order Allow,Deny
	Allow from all
	Deny from 2.112.195.83
	Deny from 24.37.22.114
	Deny from 24.199.189.66
	Deny from 37.153.192.49
	Deny from 64.61.155.42
	Deny from 78.32.129.58
	Deny from 79.39.183.124
	Deny from 80.35.16.63
	Deny from 83.70.178.60
	Deny from 90.182.73.81
	Deny from 94.113.137.129
	Deny from 145.253.122.66
	Deny from 131.109.59.90
	Deny from 151.8.12.213
	Deny from 188.13.39.226
	Deny from 188.219.193.186
	Deny from 212.121.116.65
	Deny from 212.183.165.15
	Deny from 217.7.249.243
	Deny from 217.111.161.229
	Deny from 217.128.175.91
</limit>

When placed in the .htaccess file in either the root directory or the directory housing your login page(s), this tasty slab of Deny directives will block this recent bruteforce proxy or botnet from even accessing your pages. It’s entirely plug-n-play — no editing required. Just remember to remove this “mini-blacklist” at some point in the future, as IPs and malicious activity tend to change over time.

Note If any of these IPs belong to anyone reading this, your machine is either hacked or a proxy server and is being used for malicious intent on the Internets.

Jeff Starr
About the Author Jeff Starr = Web Developer. Book Author. Secretly Important.
Archives
12 responses
  1. George Serradinho October 2, 2012 @ 8:21 pm

    I have a few WP sites and had to take some serious steps as I installed Login Attempts and some activity plugin and checked the username was 90% ‘admin’ and 10% ‘lmbellclyd’.

    Thanks for the IP addresses.

  2. Michael Clark October 3, 2012 @ 4:48 pm

    The idiots hitting my server are an entirely different set of IP addresses. My wp-login.php is set to automatically add their IP address to the .htaccess.

    • Jeff Starr

      Oh yes, they use milllionz of different IPs no doubt, this was just one example of how to block using some real, recent data. Plugins that block based on individual IPs work fine, but as mentioned allow for more login attempts before actually stopping a particular brute-force attack.

  3. Brad Dalton October 7, 2012 @ 5:45 pm

    I prefer to use the Wordfence plugin which alerts you to repeated login attempts so you can easily block the I.P’s. No need to add them to your .htaccess.

    This plugin tracks all I.P addresses so its easy to block any and it also includes limit login attempts and m any of security features.

  4. Having just a personal site with wordpress and another with codeigniter I do the following
    1.Install ZB Blockfor php sites

    2. of course follow good security practices for logins as noted on Jeff’s site here(the “G series”)

    3. Go to ipinfobd and get the IP ranges of any and all countrys I want to block and put that in my .htaccess file. I find that helps stop a great many attacks

    4. Check any passwords I generate at GRC for strength

  5. Igor Aleksic November 2, 2012 @ 4:09 am

    Another protection step, i was thinking of making is implementing another field as a secondary password which basically has a 18 character filed with strong password generated by strongpasswordgenerator.com You wont be able to remember it but it will sure not be that easy to hack, plus you will have to save it somewhere and copy paste it every time you want to login.

    But talking about wordpress except the G5-G6 techniques discussed here you can do the following.

    1. Change the admin name to something else
    2. Generate a 18 string password
    3. Lock the admin area to your ip only / or lock the admin and wp-login.php url in generall so only when you want to login delete them, when you finish write them again… This step may seem a bit of hassle but if you want to be secure you’ll do it.
  6. Alok Tiwari January 10, 2013 @ 12:38 am

    Please update your list with these Ip’s. So It least others can be updated. These IP’s are involved in Brute-force attacks on my server. I had blocked them. Others are recommended to block these IP’s to safe guard their WordPress based installations. All of these IP’s tried to penetrate using admin user name.Not having admin user name is a good idea. But complete blocking junk traffic is wise idea.Hope this helps.

    ####################
    #Kimsuffi Network hacks are banned
    176.31.107.59
    176.31.125.166
    176.31.240.41
    178.32.97.118
    178.33.34.35
    178.33.42.125
    178.33.42.68
    178.33.45.13
    188.165.195.156
    188.165.230.147
    188.165.240.186
    188.165.242.29
    188.165.248.204
    188.165.56.253
    37.59.60.188
    46.105.125.47
    46.105.32.189
    46.105.63.44
    46.105.75.94
    87.98.184.198
    91.121.105.181
    91.121.179.229
    91.121.220.43
    91.121.9.21
    91.121.79.168
    94.23.0.44
    94.23.0.44
    94.23.212.109
    94.23.27.172
    94.23.40.212
    94.23.43.110
    94.23.45.19
    94.23.75.187
    ####################

  7. Alok Tiwari I dont know about brute force attacks but I can tell you everyone of those IP’s except one are big hitters on the Stop Forum Spam database as well.

    In addition to Jeffs block list I also compare IP’s against the SFS block list

  8. I usually banned those IPs using “Better WP Security” plugin setting a longer time stamp.

    Am I depend on this or should I also put those IPs in .htaccess?

  9. Shahran Profector April 4, 2013 @ 8:56 pm

    Deny from188.143.232
    Deny from 190.220.229
    Deny from 66.85.162
    Deny from 89.233.216
    Deny from 78.154.105
    Deny from 89.233.216
    Deny from 173.38.155

    Trouble is they are not complete IP’s, and maybe some who are not bad, will get blocked :(

[ Comments are closed for this post ]