[wp-hackers] Detecting the present botnet attacks

[Nicolás Badano]

We too have been having quite a headache with the bot attacks recently. 
In our case, what we did was installing the wp-fail2ban plugin (no more 
than two lines of code that log unsuccessful login attempts in the 
auth.log file) and configured fail2ban to monitor that logfile with the 
regex included in the plugin. Three failed logins, and we shut down the 
server for that IP (Deny from XX.XXX.XXX.XXX in the main .htaccess). An 
iptables ban would probably accomplish the same thing, or the denyhosts 
action. As we don't have an admin or administrator account, we are 
looking into banning tries using those accounts right away from the 
first try, but I don't have code for that just yet.

It's less sophisticated than stopping the botnet on its tracks by 
identifying a pattern (that would be GREAT) but it did help containing 
the bot invasion. We are not getting that many failed logins these days. 
I like how the Project Honey Pot looks like though: I'll probably give 
it a try, specially if it doesn't hurt performance too much.

My two cents!