1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 4:02 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Blacklisting and blocking malicious logins

         

Ronnyy

1:19 pm on Nov 24, 2016 (gmt 0)

10+ Year Member



I'm seeing recently (or maybe it was like that in the past as well but I did not pay attention to it) more and more "attacks" in my drupal logs. What I mean by attacks is:
1) 30 similar attempts at URLs such as www.example.com/privacy&sa=U&ved=0ahUKEwjD4NGkkb_QAhVB9YMKHc-5DeA4MhAWCEMwCA&usg=AFQjCNGXJ-rAtA0CrnaAkM8M0_cZt-RE_Q/components/index.inc.php
2) 30 attempts to log in as admin and trying various passwords
3) very many attempts to log-in as another user...

I can see the ip where these trials are coming from. I have checked on google with a reverse dns and then tried to see whether the ips are blacklisted with free services such [mxtoolbox.com...]
Some of them are reported as blacklisted by some internet blaklist databases.

I have stopped the new user registration.
I'm also applying relatively fast the drupal security patches

My first question is:
1) Do I need to worry about it?
2) Can I ban these ips? I could ban them in drupal with a module, but I could also ban it via cPanel, so that they do not reach my domain at all

My question to you is how do you handle such cases? I'm using drupal, but I'm sure it's the same for any website out there whichever technology it might use

Many thanks for sharing your epxeriences

topr8

2:16 pm on Nov 24, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



i don't use drupal, but we automatically lockout a user after 3 failed login attempts within a certain timeframe.
... this may not be suitable for some sites but works for us.

also we only allow 'admin' access to users who have a fixed ip address and that ip is hard coded into the db,
again this suits us but perhaps wouldn't suit all applications.

graeme_p

2:27 pm on Nov 24, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Two other things you can do:

- move the admin and/or login URLs. I have done this with both Django and Wordpress based sites. Trivially easy for the former, and there are plugins for the latter.

- provide a honeypot login form on commonly attacked paths like /wp-admin, /admin and so on.

martinibuster

2:37 pm on Nov 24, 2016 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Hacker activity picks up every year prior to the Xmas season. Let me guess... Ukrainian IP addys?

I think it's organized crime from eastern europe.

martinibuster

11:21 pm on Nov 24, 2016 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Yes, you should worry about these attacks.

No, you can't really ban the IP addys because they'll just cycle through a list of thousands of other IPs until they find one that's not blocked. I'm saying that from personal experience defending against those kinds of hackers. They're bots.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 4:02 am May 21, 2026