Tech Web Hosts, Server Admins, ISP Owners

[HairyChick]

IMPORTANT

If you have access to your company’s list of domains .... names, not IP .... you may have a compromised account or box.

I get 1-2,000 failed logins on one blog. There are five, yes 5, captcha questions there. Three math, one question and one other I forget. These bots are somehow getting by the captchas or I only get notifications on failed logins.

Today I’ve gotten 1,455 so far. I’ve compiled a list for the past two hours of named domains only. A dozen or so are static but the rest are dynamic IP. I’ll do the IP numbers if people want it. Lots of people, not just one!

I was going to post 101 from today but I don’t want to give the keys to the hackers. If you want the list, I can email it to you.

Several are ns.* boxes, some mail servers and some have over 100 tries. They’re blocked at five attempts so this botnet is big.

Lots of open ports out there. I’m hoping to do this daily in a single thread, but again, security is not to be fucked with.

PM me here with an email address. I’ll send a list, whether once or daily. If this is shown to be helpful, I’ll probably start posting on a password-protected blog. I’ve got a spare domain and since this only text for under one hundred people, the bandwidth should be minimal. Or if popular and one of the administrators would give me space on a box they run, I’ll set up the blog with them.

There isn’t a central place for us to post open servers or accounts. It won’t take me much time to scan emails and post if I do it during the day as well.

My host blocks about one hundred already and I can add those to the list.

If you think this idea sucks, tell me why. I’m open to suggestions but if you’re on ignore, ask another to post for you. This isn’t so you can add to .htaccess but it works. The idea is to get admins to tighten their open holes, so to speak.

I’m off to dream of secure servers, hackers locked out, and webmasters giving a fuck about security. You might think your blog is secure but the server box might not be secure. Your paysites might be open. Why chance it? Free software tells you of hacking attempts; help the industry as a whole be safer and aware. Everyone competes but together we cAn make a change.

*stepping off my glittery starry ladder after throwing sparkles on all* and no, I’m not high, just trippin’ on a good idea.

[Klen]

I solved my security problems by banning Ukraine and Russia Traffic.

[magneto664]

try google "Password Protection with htaccess"
works well all time

[rowan]

If your IP is static, block everything but that from the login page. That's pretty much your problem solved.

If your CAPTCHA is generated by third party software that is popular enough, the bots will already know how to parse and solve it.

Have look into plugins that will block IPs which repeatedly fail logins, or generate multiple 404s from scanning several URIs.

[rowan]

Also, there are central lists of this stuff... for example, https://www.stopforumspam.com/ , which has an API

You can also get raw lists here: FireHOL IP Lists | IP Blacklists | IP Blocklists | IP Reputation

[Google Expert]

Install a firewall on the server and allow connections only from whitelisted IPs.

[Google Expert]

Quote:

Originally Posted by rowan

Also, there are central lists of this stuff... for example, https://www.stopforumspam.com/ , which has an API

You can also get raw lists here: FireHOL IP Lists | IP Blacklists | IP Blocklists | IP Reputation

Also, this: https://www.maxmind.com/en/home

[k0nr4d]

Another useful one - block TOR nodes.
https://www.reaper-x.com/2012/05/15/...che-and-nginx/

[HairyChick]

Quote:

Originally Posted by rowan

If your IP is static, block everything but that from the login page. That's pretty much your problem solved.

If your CAPTCHA is generated by third party software that is popular enough, the bots will already know how to parse and solve it.

Have look into plugins that will block IPs which repeatedly fail logins, or generate multiple 404s from scanning several URIs.

My plugins do block the IP and notify me. Most block for an hour first, then twelve hours, then twenty-four hours.

A sysadmin once told me that having one hundred IPs in .htaccess would cause a serious strain on the server. I’ll block a whole network like *.bluehost.com and the block notice tells them to contact their host. Then I worked with the host to deal with hackers

Right now I have almost no traffic. Once my sites are up, I don’t want congestion from two thousand bots slowing down the box.

I’m not looking for a fix, though, just a warning site for adult webmasters and server admins

[rowan]

Quote:

Originally Posted by k0nr4d

Another useful one - block TOR nodes.
https://www.reaper-x.com/2012/05/15/...che-and-nginx/

I think unconditionally blocking tor, open proxies etc is a bad idea, unless you're under attack and urgently need to tighten up things.

I prefer the once bitten, twice shy model: if an IP (or cookie'd device) misbehaves and ends up banned for a day, their reputation goes down, so the trigger level for a future ban is set much lower.

I send a bit of skimmed TGP traffic to a semi-adult site and see plenty of VPNs and TOR IPs. They mostly behave themselves just fine.

[rowan]

Quote:

Originally Posted by PamWinterReturns

My plugins do block the IP and notify me. Most block for an hour first, then twelve hours, then twenty-four hours.

A sysadmin once told me that having one hundred IPs in .htaccess would cause a serious strain on the server. I’ll block a whole network like *.bluehost.com and the block notice tells them to contact their host. Then I worked with the host to deal with hackers

Right now I have almost no traffic. Once my sites are up, I don’t want congestion from two thousand bots slowing down the box.

I’m not looking for a fix, though, just a warning site for adult webmasters and server admins

If you want to block at the IP level it would be better to use a firewall, which blocks connect attempts at the OS level. This is far more efficient than blocking via .htaccess, because:

1) Firewalls are optimized for blocking IP traffic. It's just masks and bits; no '*', no domains, no hostnames.

2) Blocking at the firewall level means that packets from the IP simply cannot connect to the web server port, so the web server doesn't need to waste resources receiving the request, checking htaccess, then sending back a 403 denied error.

I cannot offer you any further detail, since most of my stuff is custom, but I'm sure there are plugins that will interface with the firewall of your server's OS (probably Linux)

But if you can't figure it out, I'm reasonably confident that having 100 entries in htaccess, in 2018, will not bring your server to its knees.

[HairyChick]

It’s amateurs just playing around. It’s a blog domain, five captchas, with one post. Gaining access means they can swear, yell, post naked pr0n pics and claim they “hacked” a site and are l33t.

I just don’t get why this undeveloped site is targeted or where they heard of it. If they get in, I have full backups. There’s nothing but a standard Wordpress theme.

They can brag they “hacked” into it but all they did was guess. I see the lure and bragging rights when they get fifty million credit card numbers from Marriott or Dunkin’ Donuts. But an undeveloped blog? Low standards

[rowan]

Quote:

Originally Posted by PamWinterReturns

If they get in, I have full backups. There’s nothing but a standard Wordpress theme.

They can brag they “hacked” into it but all they did was guess. I see the lure and bragging rights when they get fifty million credit card numbers from Marriott or Dunkin’ Donuts. But an undeveloped blog? Low standards

It's probably automated scripts probing for known vulnerabilities in popular software (like Wordpess).

It's unlikely that your site is specifically being targeted.

[NatalieMojoHost]

If you have managed hosting, get a ticket in with the server admins to configure a firewall, and to troubleshoot what's going on.

5 captchas... a bit of an overkill - if they can solve one, why not the other? There is technology that can read your facial expression and determine if you're sad or worried. There's really not much reliability in captchas these days except maybe stopping bored amateurs. At that, it almost sounds like some hacker school is practicing bot-captcha-solving on your blog.

[VRPdommy]

I see plenty of good suggestions here...
But it all depends on your config.
Learn how to track all of your log files daily so you can see what is going on.
A Pain it is but it's the only way.
You will be hit from IP's from compromised servers, so doing IP blocks above your firewall can be hard to execute depending on who your intended audience is. You don't want to limit or prevent the folks you are catering to.
You will have to use a all of the above type approach to what fits your circumstance.

If you are using popular software like a WordPress engine, it makes a double layer of hack potential, but stick with it as it's easier and faster to find/fix holes in the software.

If your targets are in one country, a firewall IP whitelist for it is a good start.
You can further follow that up in .htaccess
And keep FTP access off if you don't need it. Change all ports to non-standard ports.
Don't make it easy for some kid following a how-to on the web.

Watch your logs like a hawk.

edit...
I was getting 24 hits a minute at certain times of the day.
Blocking countries that do not speak the same language was the first step.
If you are looking to just bock single IP's...
There is no end to them through all the compromised systems, so good luck with that.
Most times those compromised systems do not know they have been compromised as everything works as normal. So everyone should monitor their own bandwidth usage for that sign.
I have over 1 billion ip's blocked and still get 600 hits a day on average poking at the system.
That continues to shrink everyday by monitor and action.

[HairyChick]

Quote:

Originally Posted by NatalieMojoHost

If you have managed hosting, get a ticket in with the server admins to configure a firewall, and to troubleshoot what's going on.

5 captchas... a bit of an overkill - if they can solve one, why not the other? There is technology that can read your facial expression and determine if you're sad or worried. There's really not much reliability in captchas these days except maybe stopping bored amateurs. At that, it almost sounds like some hacker school is practicing bot-captcha-solving on your blog.

You may be right. These are amateurs based on the IP and passwords guesses. Bots trying to get into an undeveloped site so they can brag.

Five captchas was a trial to see which I liked best. I ignored the site for months and stopped building it until the email deluge. Soon I’ll pick a captcha to keep

[HairyChick]

Quote:

Originally Posted by VRPdommy

I see plenty of good suggestions here...
But it all depends on your config.
Learn how to track all of your log files daily so you can see what is going on.
A Pain it is but it's the only way.
You will be hit from IP's from compromised servers, so doing IP blocks above your firewall can be hard to execute depending on who your intended audience is. You don't want to limit or prevent the folks you are catering to.
You will have to use a all of the above type approach to what fits your circumstance.

If you are using popular software like a WordPress engine, it makes a double layer of hack potential, but stick with it as it's easier and faster to find/fix holes in the software.

If your targets are in one country, a firewall IP whitelist for it is a good start.
You can further follow that up in .htaccess
And keep FTP access off if you don't need it. Change all ports to non-standard ports.
Don't make it easy for some kid following a how-to on the web.

Watch your logs like a hawk.

edit...
I was getting 24 hits a minute at certain times of the day.
Blocking countries that do not speak the same language was the first step.
If you are looking to just bock single IP's...
There is no end to them through all the compromised systems, so good luck with that.
Most times those compromised systems do not know they have been compromised as everything works as normal. So everyone should monitor their own bandwidth usage for that sign.
I have over 1 billion ip's blocked and still get 600 hits a day on average poking at the system.
That continues to shrink everyday by monitor and action.

Thanks. I remember my first bot attack in 1994. Shut down the host’s machines and they disconnected for a while to calm things down. I was lost and my host was pissed off! He had about two dozen clients and lost six of them due to attack on the box. He learned to tighten things up and to move the attack to another box.

I can’t fathom a billion blocked IPs. I’m blocking whole hosts as in *@*.*.secureserver.net. 800 daily attempts from different countries to different IPs. I sent an address explaining why and tried to tell them these are open accounts. Third email so I think no one cares!

I’m surprised so many static addresses are open. I noticed many hosts have many open accounts and I wonder who admins these boxes. Blocking open ports isn’t rocket science yet many large hosts are inundated with them.

Fortunately none of my current or past hosts have appeared in logs.

[AdultKing]

Quote:

Originally Posted by PamWinterReturns

I can’t fathom a billion blocked IPs. I’m blocking whole hosts as in *@*.*.secureserver.net. 800 daily attempts from different countries to different IPs. I sent an address explaining why and tried to tell them these are open accounts. Third email so I think no one cares!

Every server on the Internet is probed automatically by numerous actors, both whitehat and blackhat, states, companies and individuals. Servers are often also probed by security researchers.

As long as your security is up to scratch then these failed attempts are not worth losing sleep over.

I am not sure you understand that this happens all the time, everywhere. It's not unusual, it's often not targeted.

For example, malicious activity using headless Chrome is spiking, see the article below.

https://securityboulevard.com/2018/1...ers-heres-why/

[rowan]

Quote:

Originally Posted by PamWinterReturns

I can’t fathom a billion blocked IPs. I’m blocking whole hosts as in *@*.*.secureserver.net. 800 daily attempts from different countries to different IPs. I sent an address explaining why and tried to tell them these are open accounts. Third email so I think no one cares!

As I said above, you need to start blocking at a less abstract level: individual IPs, or IP ranges. Firewalling at the packet level is super fast.

If you block by hostname through (say) Apache, it must do a DNS lookup in order to check against htaccess... for EVERY load. Do you really want your page to take 5 seconds to load because the user's ISP hasn't properly configured their reverse DNS?

BTW: a billion blocked IPs? That's like half the internet.

[HairyChick]

Quote:

Originally Posted by rowan

As I said above, you need to start blocking at a less abstract level: individual IPs, or IP ranges. Firewalling at the packet level is super fast.

If you block by hostname through (say) Apache, it must do a DNS lookup in order to check against htaccess... for EVERY load. Do you really want your page to take 5 seconds to load because the user's ISP hasn't properly configured their reverse DNS?

BTW: a billion blocked IPs? That's like half the internet.

He said a billion IPs. I was thinking he built a supercomputer of some sort.

I notice the site page warning that I’m blocked takes about six seconds to load for me on wifi. I am not in .htaccess yet am banned. I’m whitelisted, too, but can’t get in to check if a plugin has me listed. I tried a VPN as suggested but couldn’t connect. I’ll try again later tonight.

I will ftp in and rename any login or security plugins,try to login, then see what is going on

[ghjghj]

Quote:

Originally Posted by PamWinterReturns

He said a billion IPs. I was thinking he built a supercomputer of some sort.

Are you even awake?

[VRPdommy]

Your 5 captcha's are likely being bypassed with db insertion methods they are using.
Go back to just using 1.
You need to tighten security on the server.
Start with the DB. Then firewall and file permissions.
Take a look at all users of the file system, you might get a surprise but it needs checked. Same with DB users, but I doubt that will lead you anywhere since it is likely being inserted through WP or similar engine you are using so check the users there.
Shut down FTP server and use only sftp and change passwords and ports.

[HairyChick]

Quote:

Originally Posted by VRPdommy

Your 5 captcha's are likely being bypassed with db insertion methods they are using.
Go back to just using 1.
You need to tighten security on the server.
Start with the DB. Then firewall and file permissions.
Take a look at all users of the file system, you might get a surprise but it needs checked. Same with DB users, but I doubt that will lead you anywhere since it is likely being inserted through WP or similar engine you are using so check the users there.
Shut down FTP server and use only sftp and change passwords and ports.

The attempts stopped cold one day last week. I asked my host and he just smiled.

There are no users, no one but me with dB access and there is no content. I installed Wordpress and configured it to allow only me in. That’s why they’re locked out if the login is correct.

I installed a plugin on another site that gives the option to hide the version. I upgrade regularly and have had no security issues on any site.

I’m building a new site and grabbed about fifty plugins. Several for each action so I can test them. If a plugin hasn’t been updated in a month, I delete it. The captchas I deleted as I found a better one.

I know no site is perfectly secure. But I’m hoping for really good results. I’m dumping plugins I don’t need. 404 plugins are cute but I can create my own page like I used to do.

SFTP brings back old memories. I remembered doing ftp via dos prompt.

[HairyChick]

Quote:

Originally Posted by NatalieMojoHost

If you have managed hosting, get a ticket in with the server admins to configure a firewall, and to troubleshoot what's going on.

5 captchas... a bit of an overkill - if they can solve one, why not the other? There is technology that can read your facial expression and determine if you're sad or worried. There's really not much reliability in captchas these days except maybe stopping bored amateurs. At that, it almost sounds like some hacker school is practicing bot-captcha-solving on your blog.

A couple were text and the rest were mathematics. I was testing them and didn’t think anyone but me would test.

The hacker school theory might be right. Admin is a bad guess! I post as Pam but the admin uses a different name and password, and I never post as the admin. I’ll pick random names like Ingrid or Desdemona or Tallulah.

[RycEric]

Quote:

Originally Posted by KlenTelaris

I solved my security problems by banning Ukraine and Russia Traffic.