Welcome to WebmasterWorld Guest from 18.212.222.217

Forum Moderators: phranque

Message Too Old, No Replies

Blacklisting and blocking malicious logins

     
1:19 pm on Nov 24, 2016 (gmt 0)

New User

joined:June 16, 2015
posts: 32
votes: 3


I'm seeing recently (or maybe it was like that in the past as well but I did not pay attention to it) more and more "attacks" in my drupal logs. What I mean by attacks is:
1) 30 similar attempts at URLs such as www.example.com/privacy&sa=U&ved=0ahUKEwjD4NGkkb_QAhVB9YMKHc-5DeA4MhAWCEMwCA&usg=AFQjCNGXJ-rAtA0CrnaAkM8M0_cZt-RE_Q/components/index.inc.php
2) 30 attempts to log in as admin and trying various passwords
3) very many attempts to log-in as another user...

I can see the ip where these trials are coming from. I have checked on google with a reverse dns and then tried to see whether the ips are blacklisted with free services such [mxtoolbox.com...]
Some of them are reported as blacklisted by some internet blaklist databases.

I have stopped the new user registration.
I'm also applying relatively fast the drupal security patches

My first question is:
1) Do I need to worry about it?
2) Can I ban these ips? I could ban them in drupal with a module, but I could also ban it via cPanel, so that they do not reach my domain at all

My question to you is how do you handle such cases? I'm using drupal, but I'm sure it's the same for any website out there whichever technology it might use

Many thanks for sharing your epxeriences
2:16 pm on Nov 24, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3440
votes: 65


i don't use drupal, but we automatically lockout a user after 3 failed login attempts within a certain timeframe.
... this may not be suitable for some sites but works for us.

also we only allow 'admin' access to users who have a fixed ip address and that ip is hard coded into the db,
again this suits us but perhaps wouldn't suit all applications.
2:27 pm on Nov 24, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2856
votes: 155


Two other things you can do:

- move the admin and/or login URLs. I have done this with both Django and Wordpress based sites. Trivially easy for the former, and there are plugins for the latter.

- provide a honeypot login form on commonly attacked paths like /wp-admin, /admin and so on.
2:37 pm on Nov 24, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14872
votes: 478


Hacker activity picks up every year prior to the Xmas season. Let me guess... Ukrainian IP addys?

I think it's organized crime from eastern europe.
11:21 pm on Nov 24, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14872
votes: 478


Yes, you should worry about these attacks.

No, you can't really ban the IP addys because they'll just cycle through a list of thousands of other IPs until they find one that's not blocked. I'm saying that from personal experience defending against those kinds of hackers. They're bots.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members