Brute force attack
Sorry if this is slightly off-topic, couldn't find a better place to ask.
I've got a linode 360 and I saw a strange peak on the graphs a couple of days ago. Nothing major (the linode managed it quite well, performance wise). Then checking the logs I saw that someone had tried to brute force my password for my WordPress installation on one of my sites.
There where over 1200 requests for /blog/wp-login.php over little less than 15 minutes. Luckily for me, my WordPress engine files don't even reside in that directory… LOL
So the question is: Is it worthwhile reporting this to someone? And if so, can anyone give me some tips as to the best way to do it?
Thanks in advance.
14 Replies
9 times out of 10 it's a pwned system in the far east somewhere, and there's not really anybody who's going to care about it.
If, however, there is an
~JW
Jeff
http://www.modsecurity.org/
I'm pretty confident with my SSH security (and linode in general): everything is firewalled, and those services running are doing so in non-standard ports. And as I mentioned, even my WordPress install is in a "concealed" folder (i.e. the address is being re-written, so all those queries are returned as 404s).
Yes, I am a bit paranoid.
Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.
Thanks for the feedback!
@Reven:
Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.
Thanks for the feedback!
You're wasting your time on anything to .ua (or .ru for that matter)
@glg:
@Reven:Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.
Thanks for the feedback!
You're wasting your time on anything to .ua (or .ru for that matter)
Yeah I agree, I've taken a more direct approach. I've blocked the entire countries of China, Russia and Nigeria. That action alone has drastically cut down attacks and spamming attempts.
@JshWright:
If, however, there is an
abuse@xxxxxxx.xxx address in the whois entry, you can try dropping them a line, but in most cases it's unlikely to do any good.~JW
I've given up on the many attacks from China, but sometimes I get some more deliberate ones from Canada, US, Europe (and of course China), trying to log in through webmin.
I have two questions:
- Is there any additional security that should be considered for webmin?
(I have IP tables and sshguard for the brute force guys)
- yet again, is it worth reporting the IP to the ISP?
Thanks
P.S. This reminds me of mosquitos in the jungle, it is pointless to get annoyed at them, but I would love a ton of DDT here
P.S.2 marcus0263: nice to be reminded of old Friedrich these days.
run it through SSL only
block unknown IP's at the webserver (and firewall, if you aren't using it for anything else).
use a non standard location.
As for reporting IP's, personally I've never bothered, though YMMV.
@mjrich:
run it through SSL only
block unknown IP's at the webserver (and firewall, if you aren't using it for anything else).
use a non standard location.
Webmin by default attempts to run in SSL only mode
This can be easily done using DynDns, or no-ip and just put a domain in that resolves to your ISP IP address (this is what I do)
When/If your IP changes, log into DynDns and update your IP to your new one and viola you have instant access to Webmin again. Remember to check to resolve hostnames under the Access module in Webmin Config
- better, just change the port in Webmin Config > Ports and Address. Most skiddies will just scan for port 10000 and try to brute force it.
@mjrich:
As for reporting IP's, personally I've never bothered, though YMMV.
I installed a mynetwatchman (http://mynetwatchman.com/
~JW
most ISPs want to disable abuse causing IPs as soon as possible
I have sent such emails to such places as Korea, Iran Estonia and
I translate the language best I can with bablefish
Along with Time Zone of my server IP addresses and IP address entries as well as Whois information that proves the IP is owned by then entity in the whois information associated. This has been pretty effective so far FYI. Only the dumb American companies like Verizon.net poo pooed the requests . Again that is probably why our economy is now tumbling. That awful American give up attitude. Its too much trouble etc…
I wonder why your experience has been so different from mine… hmmm…
~JW