WebFaction
Community site: login faq

I'm setting up a new site on WebFaction, but having a pretty heavy load of login abuse traffic:

46.165.211.194 - - [19/Dec/2013:23:25:35 +0000] "GET /wp-login.php HTTP/1.0" 404 8012 "-" "-"
46.165.211.194 - - [19/Dec/2013:23:25:35 +0000] "GET /static/wp-login.php HTTP/1.0" 404 162 "-" "-"
46.165.211.194 - - [19/Dec/2013:23:25:36 +0000] "GET /recycle/wp-login.php HTTP/1.0" 200 29695 "-" "-"
46.165.211.194 - - [19/Dec/2013:23:25:38 +0000] "GET /junkmail/wp-login.php HTTP/1.0" 200 80409 "-" "-"
46.165.211.194 - - [19/Dec/2013:23:25:39 +0000] "GET /admin/login.php HTTP/1.0" 200 29683 "-" "-"
46.165.211.194 - - [19/Dec/2013:23:25:40 +0000] "GET /765/The-Consumer-Recycling-Guide-USAfeeds/tiles/wp-login.php

Is there tool I can use to block traffic from any IP address that has hit wp-login.php (or admin/login, or administrator/login.php, etc) a dozen times in the last week? Note I do not run wordpress on the site (site is obviously.com).

asked 23 Dec '13, 18:26

brycenesbitt
921419
accept rate: 0%

edited 26 Dec '13, 23:30

I think there are few good wordpress security plugins for this.

(12 Jan '14, 04:24) min0taur

Apache can not perform the logic by itself, you could write a script which runs in cron and scans the front-end access log file (~/logs/frontend/access_<sitename>) first filtering for the URI, than all the IPs, than looking for the number of times they exists, and if more than a given number add an .htaccess rule which blocks that ip, and maybe notifies you via e-mail. I found some code snippets which should show the basic concept in python with a little debugging you should be able to make it function as you want, you can also adapt the general logic to most other programming languages.

To scan the log file for the URI use Regular Expression's search function.

to scan the log file for all IP addresses this thread on stackoverflow: Finding a new IP in a file

To append to .htaccess,

To send a notice via e-mail

permanent link

answered 23 Dec '13, 21:13

johns
5.4k412
accept rate: 23%

edited 23 Dec '13, 21:18

You could also simply password protect the admin directory with htacess. That should keep the bots out. There is a Wordpress extension that provides that functionality without requiring you to create another account. It simply gives you the id and a password hint in the text of the log-in box. Bots don't read that, people can. Once past that, you still have to log into WP. A WP site I manage at another host started making that a requirement for anybody that had a support issue related to Wordpress hacks. It seems to work just fine.

permanent link

answered 26 Dec '13, 13:42

chrisod
4128
accept rate: 0%

Mostly I don't want the bots skewing my stats: and they often crawl a lot of the site.

(27 Dec '13, 00:30) brycenesbitt

I found http://www.fail2ban.org/ to be exactly on target. Though by default it requires root access.


Note that some malicious bots will hit the server thousands of times, but the more subtle ones may make only a few select GET requests to potential soft spots. By the time you block them, they're gone.

permanent link

answered 26 Dec '13, 23:32

brycenesbitt
921419
accept rate: 0%

edited 26 Dec '13, 23:33

It seems that will not work due to it needing root. Have you attempted any of the suggestions John had mentioned above?

(27 Dec '13, 00:15) NickR ♦♦

fail2ban can run without root also. I found it awkward for my needs, as much trouble to set up as it would take to write a first pass of a custom script.

(31 Dec '13, 11:26) brycenesbitt
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×226
×34
×4
×1

question asked: 23 Dec '13, 18:26

question was seen: 8,377 times

last updated: 12 Jan '14, 04:34

                              
WEBFACTION
REACH US
SUPPORT
LEGAL
© COPYRIGHT 2003-2021 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM