Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


What blacklist you are utilizing to reduce wp-l0gin.php brut€force & other expl0iter b0ts?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

What blacklist you are utilizing to reduce wp-l0gin.php brut€force & other expl0iter b0ts?

postcdpostcd Member
edited April 2019 in General

Before around two weeks there was some botnet bruteforcing my wp-login.php and xmlrpc.php pages acros multiple domains on one apache web server.
It was many IP subnets, countries. I began manualy reporting the IPs on nice bl@cklist abuseipdb.com and also to myip.ms blacklist, but it was too many IPs so i stopped.

Usually i am blocking IPs using mod security (there is a rule for wp-l0gin.php brut€ f0rce) and config server firewall. I recommend this combo. But i am thinking if there is some good IP bl@cklist which i can populate automaticaly based on the apache access log or lfd.log? I mean something that i can both automatically contribute to and also use the IPs in my firewall ipset. I am looking for a free bl@cklist and it should be really acurate so i do not block valid visitors.

Also check this nice page: https://iplists.firehol.org

Comments

  • vovlervovler Member
    edited April 2019

    Disable xmlrpc and if you are the only wordpress user only allow your IP to access wp-login.php

    Another solution is to rate limit the login attempts with plugins such as loginizer and/or add recaptcha to the login page

    If the attacker has access to so many IPs, there is no point in reporting all of them in my opinion

  • YKMYKM Member

    Mod security?

  • imokimok Member

    Wordfence

    Thanked by 1Falzo
  • Whitelist your ip to webserver to access wp-login or wp-admin

  • ZerpyZerpy Member

    I use the protection offered by LiteSpeed Web Server :)

  • Fail2ban can do the job. You can customize your rules so that they fit your needs.

  • YuraYura Member

    Turn Wordpress into static site.

  • ma2tma2t Member

    I'm using Bitninja.io for that purpose.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    We simply do a challenge page for our shared users.

    Francisco

  • imokimok Member
    edited April 2019

    Francisco said: We simply do a challenge page for our shared users.

    Would you like to share (in general) how to do that?

    Thanked by 2feezioxiii postcd
  • FHRFHR Member, Host Rep
    edited April 2019

    WordFence can protect you very well against brute force attacks.

  • Tr33nTr33n Member

    ModSecurity + fail2ban

  • @postcd said:
    It was many IP subnets, countries. I began manualy reporting the IPs on nice bl@cklist abuseipdb.com and also to myip.ms blacklist, but it was too many IPs so i stopped.

    May I ask how many suspicious IP addresses your Apache catches for a day?

    postcd said: I am looking for a free bl@cklist and it should be really acurate so i do not block valid visitors.

    There is no guarantee about this as valid visitors' computers could be part of botnets, too. And you have to decide how long a suspicious IP is staying in the blacklist.

  • Not using WordPress.

    • Try using BBQ plugin
    • Fail2ban on wp-login requests
    • Blocking some IP list from firehol could also help
  • YuraYura Member

    @Letzien said:
    Not using WordPress.

    You just triggered a whole bunch of php coders. Well done!

  • Adam1Adam1 Member

    Amazing that the admin path is still hard coded into wordpress, would have thought it would have been configurable by now.

  • Agree should be able to change default admin in WP but the default admin path is easy to honeypot and ban either temp or perm

  • MikeAMikeA Member, Patron Provider

    @imok said:

    Francisco said: We simply do a challenge page for our shared users.

    Would you like to share (in general) how to do that?

    Probably modsecurity rules.

    WordFence is a great plugin.

  • Adam1 said: Amazing that the admin path is still hard coded into wordpress, would have thought it would have been configurable by now.

    Agree. It's been years after Wordpress being launched and yet it's still using wp-admin.

  • ZerpyZerpy Member

    @MikeA said:
    Probably modsecurity rules.

    WordFence is a great plugin.

    modsec fine, but why WordFence? Why handle something in PHP that should be handled at server level? It seems silly to waste PHP resources when you can easily fix it 1 or even 2 levels above.

  • eva2000eva2000 Veteran

    MikeA said: Probably modsecurity rules.

    Might want to keep an eye on this 5 unpatched vulnerabilities in ModSecurity OWASP CRS which can lead to DDOS attacks against web servers https://coreruleset.org/20190425/regular-expression-dos-weaknesses-in-crs/

  • LutungLutung Member

    Cloudflare?

    Domain/wp-login I'm under attack

    Thanked by 1postcd
  • postcdpostcd Member

    @datanoise said:
    Fail2ban can do the job. You can customize your rules so that they fit your needs.

    thx, good idea, do you know any free IP bl@cklists that work with fail2ban and are very accurate so i can block its ips in fir€wall?

    @Francisco said:
    We simply do a challenge page for our shared users.

    yes, as 2 users said, i would like to know how to do it if i am not a developer, any tutorial?

    @chihcherng said:
    May I ask how many suspicious IP addresses your Apache catches for a day?

    maybe a hundred or couple of hundred blocked IPs per day? Server overloading is so far not a problem, my aim is to fight against these exploiters by contributing to some good free bl@cklist.

  • NeoonNeoon Community Contributor, Veteran

    https://gist.github.com/Ne00n/80bdcb1fabff690404a1f1645041b615

    Someone need to fork it and add more lists.

    Thanked by 1postcd
  • CoreyCorey Member

    @Adam1 said:
    Amazing that the admin path is still hard coded into wordpress, would have thought it would have been configurable by now.

    Couldnt you just configure rewrite rules or deny to that dir and reverse proxy it to something else? All of the major web servers have some ability to do this.

Sign In or Register to comment.