For the past week, I’ve been monitoring activity from a set of IP addresses involved with brute-force login attacks. Brute-force login attacks involve systematic guessing of passwords using various common usernames such as “admin” and “username”. So for example, an attack will target an array of sites, use “admin” as the username, and then make numerous attempts at “guessing” your password. And to obfuscate their malicious activity, the attack is executed from multiple IP addresses, either via proxy or possibly a botnet.
There are some good plugins and scripts that protect your login page against brute-force attacks, but some of them do so by blocking the attacker’s IP address. For example, if someone or something makes 10 unsuccessful login requests, a login-protection script may automatically block the associated IP address and thwart the attack. So by using multiple IPs, the attacker increases the number of “undetected” login attempts and decreases the likelihood of getting blocked.
Best protection against bruteforce attacks
The best protection of course is to choose strong passwords and change them regularly. With strong passwords, the chance of a successful brute-force login-attack decreases to virtually zero. And, if you’re heavily targeted (or just paranoid), additional measures may be taken to protect against login attacks. Setting up secondary HTTP password protection is an excellent way to further lock things down. Either of these strategies should protect your site against brute-force attacks, but we can do even more with a bit of .htaccess.
Specific protection for a recent bruteforce/proxy threat
Most brute-force login attacks target a general collection of websites, using common usernames such as the dreaded “admin”. For example, I’ve been monitoring a recent wave of brute-force/proxy login attacks targeting a variety of different sites. By using “admin” as the username, they’re not even in the ballpark, so it’s most likely not a specifically targeted attack.
Scanning the server logs, I’m seeing an increase in the number of failed login attempts for an array of sites. Someone’s trying to get in, and they’re using multiple IPs to make the requests. At first I wasn’t sure how many different IPs were involved, but there were literally so many requests that I began noticing a pattern of similar IPs. So I began logging the different IPs associated with this recent wave of brute-force login attacks.
After two weeks enduring and monitoring the attacks, the botnet seems comprised of the following IP addresses:
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
Each of these IPs continues to attempt brute-force login attacks, and may be blocked with the following slice of .htaccess:
# 2012 bruteforce botnet <limit GET POST PUT> Order Allow,Deny Allow from all Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 Deny from 126.96.36.199 Deny from 188.8.131.52 Deny from 184.108.40.206 Deny from 220.127.116.11 Deny from 18.104.22.168 Deny from 22.214.171.124 </limit>
When placed in the .htaccess file in either the root directory or the directory housing your login page(s), this tasty slab of
Deny directives will block this recent bruteforce proxy or botnet from even accessing your pages. It’s entirely plug-n-play — no editing required. Just remember to remove this “mini-blacklist” at some point in the future, as IPs and malicious activity tend to change over time.
Note If any of these IPs belong to anyone reading this, your machine is either hacked or a proxy server and is being used for malicious intent on the Internets.