Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
 Post subject: Brute force attack
PostPosted: Fri Jul 24, 2009 7:07 am 
Offline
Senior Newbie

Joined: Sun Jun 21, 2009 8:11 am
Posts: 9
Hi,

Sorry if this is slightly off-topic, couldn't find a better place to ask.

I've got a linode 360 and I saw a strange peak on the graphs a couple of days ago. Nothing major (the linode managed it quite well, performance wise). Then checking the logs I saw that someone had tried to brute force my password for my WordPress installation on one of my sites.

There where over 1200 requests for /blog/wp-login.php over little less than 15 minutes. Luckily for me, my WordPress engine files don't even reside in that directory... LOL

So the question is: Is it worthwhile reporting this to someone? And if so, can anyone give me some tips as to the best way to do it?

Thanks in advance.


Top
   
 Post subject:
PostPosted: Fri Jul 24, 2009 9:59 am 
Offline
Senior Member

Joined: Mon Oct 27, 2008 10:24 am
Posts: 173
Website: http://www.worshiproot.com
Stick the ip address of the attacker into a whois search tool and see if it belongs to anybody who would care.

9 times out of 10 it's a pwned system in the far east somewhere, and there's not really anybody who's going to care about it.

If, however, there is an abuse@xxxxxxx.xxx address in the whois entry, you can try dropping them a line, but in most cases it's unlikely to do any good.

~JW


Top
   
 Post subject:
PostPosted: Fri Jul 24, 2009 10:21 am 
Offline
Senior Member
User avatar

Joined: Fri Jan 02, 2009 10:31 am
Posts: 157
Website: http://greersfos.com
Location: Kansas / Texas
If you check your logs, you will probably find that kind of thing happens frequently, to your system as a whole not just your WordPress system. If you don't implement security measures on SSH for example, someone will ultimately figure out your password.

Jeff

_________________
http://greersfos.com


Top
   
 Post subject:
PostPosted: Fri Jul 24, 2009 12:53 pm 
Offline
Senior Member

Joined: Thu Apr 08, 2004 3:24 pm
Posts: 92
ICQ: 3765104
Website: http://www.unixfool.com
Yahoo Messenger: wigglit2001@yahoo.com
Location: VA
modsecurity (http://www.modsecurity.org/) will help in keeping the webserver from even processing these requests. I agree with fos though...this happens rather often (although I typically don't see 1200 requests in one attack session, though...usually its just 10-20).


Top
   
 Post subject:
PostPosted: Sat Jul 25, 2009 6:12 pm 
Offline
Senior Newbie

Joined: Sun Jun 21, 2009 8:11 am
Posts: 9
Thanks guys,

I'm pretty confident with my SSH security (and linode in general): everything is firewalled, and those services running are doing so in non-standard ports. And as I mentioned, even my WordPress install is in a "concealed" folder (i.e. the address is being re-written, so all those queries are returned as 404s).

Yes, I am a bit paranoid. :)

Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.

Thanks for the feedback!


Top
   
 Post subject:
PostPosted: Sat Jul 25, 2009 11:47 pm 
Offline
Senior Member

Joined: Fri Jan 09, 2009 4:32 pm
Posts: 676
Reven wrote:
Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.

Thanks for the feedback!


You're wasting your time on anything to .ua (or .ru for that matter)


Top
   
 Post subject:
PostPosted: Mon Jul 27, 2009 10:38 am 
Offline
Senior Member
User avatar

Joined: Mon Jul 21, 2008 1:26 pm
Posts: 171
Website: http://www.rejecttheherd.net
Location: Seattle
glg wrote:
Reven wrote:
Checked the IP and it is assigned to hosting.ua, so I just gave it a shot and sent them a polite email to their abuse address. Not that the hacker did any harm or that I expect them to do anything about it, but still.

Thanks for the feedback!


You're wasting your time on anything to .ua (or .ru for that matter)

Yeah I agree, I've taken a more direct approach. I've blocked the entire countries of China, Russia and Nigeria. That action alone has drastically cut down attacks and spamming attempts.

_________________
Image
Where "Thought Crime" is commited
http://www.rejecttheherd.net


Top
   
 Post subject:
PostPosted: Wed Jul 29, 2009 6:34 pm 
Offline
Senior Newbie

Joined: Sat Mar 28, 2009 11:57 am
Posts: 7
JshWright wrote:
If, however, there is an abuse@xxxxxxx.xxx address in the whois entry, you can try dropping them a line, but in most cases it's unlikely to do any good.

~JW


I've given up on the many attacks from China, but sometimes I get some more deliberate ones from Canada, US, Europe (and of course China), trying to log in through webmin.

I have two questions:

- Is there any additional security that should be considered for webmin?
(I have IP tables and sshguard for the brute force guys)

- yet again, is it worth reporting the IP to the ISP?

Thanks

P.S. This reminds me of mosquitos in the jungle, it is pointless to get annoyed at them, but I would love a ton of DDT here

P.S.2 marcus0263: nice to be reminded of old Friedrich these days.


Top
   
 Post subject:
PostPosted: Wed Jul 29, 2009 7:10 pm 
Offline
Senior Member

Joined: Mon Jun 16, 2008 6:33 pm
Posts: 151
If you must run webmin, at least

- run it through SSL only
- block unknown IP's at the webserver (and firewall, if you aren't using it for anything else).
- use a non standard location.

As for reporting IP's, personally I've never bothered, though YMMV.


Top
   
 Post subject:
PostPosted: Thu Jul 30, 2009 1:59 am 
Offline
Senior Member

Joined: Fri Sep 12, 2008 3:17 am
Posts: 166
Website: http://independentchaos.com
mjrich wrote:
- run it through SSL only
- block unknown IP's at the webserver (and firewall, if you aren't using it for anything else).
- use a non standard location.


- Webmin by default attempts to run in SSL only mode
- This can be easily done using DynDns, or no-ip and just put a domain in that resolves to your ISP IP address (this is what I do)
When/If your IP changes, log into DynDns and update your IP to your new one and viola you have instant access to Webmin again. Remember to check to resolve hostnames under the Access module in Webmin Config
- better, just change the port in Webmin Config > Ports and Address. Most skiddies will just scan for port 10000 and try to brute force it.

_________________
If it ain't broke, you didn't tweak it enough. If it is broke, use more duct tape.
http://independentchaos.com


Top
   
 Post subject:
PostPosted: Thu Jul 30, 2009 11:14 am 
Offline
Senior Member

Joined: Thu Apr 08, 2004 3:24 pm
Posts: 92
ICQ: 3765104
Website: http://www.unixfool.com
Yahoo Messenger: wigglit2001@yahoo.com
Location: VA
mjrich wrote:
As for reporting IP's, personally I've never bothered, though YMMV.


I installed a mynetwatchman (http://mynetwatchman.com/) agent on my linode. What it does is watches the logs for abnormal activity and reports such to a mynetwatchman server, who automatically reports it to the responsible NOC or ISP. While some NOCs and ISPs ignore the notices, at least I'm not doing all the legwork...LOL


Top
   
 Post subject:
PostPosted: Thu Jul 30, 2009 11:24 am 
Offline
Senior Member
User avatar

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York
Ah, I know those notices well from my days on abuse desk. Usually they got mass-resolved in the morning so we could actually work on the tickets that weren't spam. :-)


Top
   
 Post subject:
PostPosted: Fri Jul 31, 2009 10:40 am 
Offline
Senior Member

Joined: Mon Oct 27, 2008 10:24 am
Posts: 173
Website: http://www.worshiproot.com
Best way to run webmin is to only listen on localhost, then use an SSH SOCKS tunnel to access it. That way they have to break SSH before they can get at webmin.

~JW


Top
   
PostPosted: Fri Aug 07, 2009 3:51 pm 
Offline
Junior Member
User avatar

Joined: Sat May 16, 2009 1:34 am
Posts: 24
Website: http://www.ddsc.com
As mentioned earlier I found for the most part if you are diligent
most ISPs want to disable abuse causing IPs as soon as possible

I have sent such emails to such places as Korea, Iran Estonia and
I translate the language best I can with bablefish
Along with Time Zone of my server IP addresses and IP address entries as well as Whois information that proves the IP is owned by then entity in the whois information associated. This has been pretty effective so far FYI. Only the dumb American companies like Verizon.net poo pooed the requests . Again that is probably why our economy is now tumbling. That awful American give up attitude. Its too much trouble etc...

_________________
Q.E.D

Rob


Top
   
 Post subject:
PostPosted: Sat Aug 08, 2009 12:35 pm 
Offline
Senior Member

Joined: Mon Oct 27, 2008 10:24 am
Posts: 173
Website: http://www.worshiproot.com
That's odd... the only useful responses I've gotten to abuse reports have been from American ISPs.

I wonder why your experience has been so different from mine... hmmm...


~JW


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group