A few days ago I integrated the Limit Login Attempts by miniOrange module into my WordPress website and I was amazed at how well it worked and how extensive the control and reporting was. Incredible for free software.
The module almost immediately started trapping invalid login requests and blocking hackers from further attempts. I’ve always known this was happening but I have strong passwords and it’s never had any significant impact on server performance.
Well that all changed after integrating this module, I guess I pissed them off and they decided to retaliate with a full-on Distributed Brute Force Attack because on Friday at about 23:00 (Vancouver time) the shit hit the fan. I started getting messages in a constant stream about my firewall blocking IPs in response to invalid login attempts and these IPs were from almost every country around the world. This was obviously a controlled attack and I can only imagine it’s because they are pissed off about the added server security.
I’ve had DDOS attacks before and the data center has excellent DDOS mitigation in place so it hasn’t been an issue but DDOS is a Level 4 attack and Brute Force is a Level 7 attack so essentially there is nothing that can be done about it at the data center level, its up to me to take action and integrate the necessary security on the server. So I put on my cape and went into rescue mode.
There are many security options with some of them already in place at the time of the attack (why I was notified) and some options being more effective than others against certain types of attacks. So in retaliation for the hackers retaliating against me protecting my server, I decided to spread as much information as I can about what can be done, so perhaps when they move on to your server, you’ll have a better idea of how to defend yourself.
A Quick Band-aid
I have a CPanel system on my server and for the most part would like to use WHM to manage this since it will be easy to duplicate for anyone else. If you are a CPanel system administrator with root access to the server, you might find this stuff useful. If your system is not CPanel, then most of the server configuration will be different and this stuff might not be of much value other than if you can do the same in another way with the software you are running.
I shouldn’t have to repeat this (it’s in my TOS), but I am not responsible in any way for anything that might go wrong with anyone else’s equipment as a result of anything I might say or do whether it’s your mistake or mine.. its up to you to evaluate this material and decide what to do. If you are unsure and don’t understand anything I am talking about, call in a professional.
cPHulk – Block All Countries
Using cPhulk, I blocked all countries except mine (Canada). That cut down a massive amount of attacks but not all, but definitely down to a manageable level.
Now I can begin my work by inspecting exactly what is happening and taking the most effective approach to stopping it. I’m also going to generally beef up security in case they or someone else tries something else but I didn’t want to stop the attack completely because it’s a lot easier to work on security while actually being under attack rather than having to simulate an attack.
Unfortunately, I have to stop this post here because I find it hard to do research and document my system while writing a blog post. Just know that I am working on it right now and taking notes so you can expect a full report when I’m done.
And you can probably see that the server is working fine so it’s really more of a nuisance than a problem, it’s just something I would be negligent not to deal with.. talk to yo later.