Linode Forum

[Reven]

Hi,

Sorry if this is slightly off-topic, couldn't find a better place to ask.

I've got a linode 360 and I saw a strange peak on the graphs a couple of days ago. Nothing major (the linode managed it quite well, performance wise). Then checking the logs I saw that someone had tried to brute force my password for my WordPress installation on one of my sites.

There where over 1200 requests for /blog/wp-login.php over little less than 15 minutes. Luckily for me, my WordPress engine files don't even reside in that directory... LOL

So the question is: Is it worthwhile reporting this to someone? And if so, can anyone give me some tips as to the best way to do it?

Thanks in advance.

[JshWright]

Stick the ip address of the attacker into a whois search tool and see if it belongs to anybody who would care.

9 times out of 10 it's a pwned system in the far east somewhere, and there's not really anybody who's going to care about it.

If, however, there is an abuse@xxxxxxx.xxx address in the whois entry, you can try dropping them a line, but in most cases it's unlikely to do any good.

~JW

[fos]

If you check your logs, you will probably find that kind of thing happens frequently, to your system as a whole not just your WordPress system. If you don't implement security measures on SSH for example, someone will ultimately figure out your password.

Jeff

[unixfool]

modsecurity (http://www.modsecurity.org/) will help in keeping the webserver from even processing these requests. I agree with fos though...this happens rather often (although I typically don't see 1200 requests in one attack session, though...usually its just 10-20).

[Reven]

Thanks guys,

I'm pretty confident with my SSH security (and linode in general): everything is firewalled, and those services running are doing so in non-standard ports. And as I mentioned, even my WordPress install is in a "concealed" folder (i.e. the address is being re-written, so all those queries are returned as 404s).

Yes, I am a bit paranoid. :)

Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.

Thanks for the feedback!

[glg]

Reven wrote: Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.

Thanks for the feedback!

You're wasting your time on anything to .ua (or .ru for that matter)

[marcus0263]

glg wrote: Reven wrote: Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.

Thanks for the feedback!

You're wasting your time on anything to .ua (or .ru for that matter)
Yeah I agree, I've taken a more direct approach. I've blocked the entire countries of China, Russia and Nigeria. That action alone has drastically cut down attacks and spamming attempts.

[patagon]

JshWright wrote:
If, however, there is an abuse@xxxxxxx.xxx address in the whois entry, you can try dropping them a line, but in most cases it's unlikely to do any good.

~JW

I've given up on the many attacks from China, but sometimes I get some more deliberate ones from Canada, US, Europe (and of course China), trying to log in through webmin.

I have two questions:

- Is there any additional security that should be considered for webmin?
(I have IP tables and sshguard for the brute force guys)

- yet again, is it worth reporting the IP to the ISP?

Thanks

P.S. This reminds me of mosquitos in the jungle, it is pointless to get annoyed at them, but I would love a ton of DDT here

P.S.2 marcus0263: nice to be reminded of old Friedrich these days.

[mjrich]

If you must run webmin, at least

- run it through SSL only
- block unknown IP's at the webserver (and firewall, if you aren't using it for anything else).
- use a non standard location.

As for reporting IP's, personally I've never bothered, though YMMV.

[freedom_is_chaos]

mjrich wrote: - run it through SSL only
- block unknown IP's at the webserver (and firewall, if you aren't using it for anything else).
- use a non standard location.

- Webmin by default attempts to run in SSL only mode
- This can be easily done using DynDns, or no-ip and just put a domain in that resolves to your ISP IP address (this is what I do)
When/If your IP changes, log into DynDns and update your IP to your new one and viola you have instant access to Webmin again. Remember to check to resolve hostnames under the Access module in Webmin Config
- better, just change the port in Webmin Config > Ports and Address. Most skiddies will just scan for port 10000 and try to brute force it.

[unixfool]

mjrich wrote:
As for reporting IP's, personally I've never bothered, though YMMV.

I installed a mynetwatchman (http://mynetwatchman.com/) agent on my linode. What it does is watches the logs for abnormal activity and reports such to a mynetwatchman server, who automatically reports it to the responsible NOC or ISP. While some NOCs and ISPs ignore the notices, at least I'm not doing all the legwork...LOL

[hoopycat]

Ah, I know those notices well from my days on abuse desk. Usually they got mass-resolved in the morning so we could actually work on the tickets that weren't spam. :-)

[JshWright]

Best way to run webmin is to only listen on localhost, then use an SSH SOCKS tunnel to access it. That way they have to break SSH before they can get at webmin.

~JW

[rss245x]

As mentioned earlier I found for the most part if you are diligent
most ISPs want to disable abuse causing IPs as soon as possible

I have sent such emails to such places as Korea, Iran Estonia and
I translate the language best I can with bablefish
Along with Time Zone of my server IP addresses and IP address entries as well as Whois information that proves the IP is owned by then entity in the whois information associated. This has been pretty effective so far FYI. Only the dumb American companies like Verizon.net poo pooed the requests . Again that is probably why our economy is now tumbling. That awful American give up attitude. Its too much trouble etc...

[JshWright]

That's odd... the only useful responses I've gotten to abuse reports have been from American ISPs.

I wonder why your experience has been so different from mine... hmmm...


~JW