[wp-hackers] Detecting the present botnet attacks

Les Bessant les at lcb.me.uk
Thu Jul 11 21:23:41 UTC 2013


I've been using fail2ban, but I'm still seeing numerous single attempts to log on to my site - and they're not trying for "admin", they're actually targeting the user name that I post with. Getting one attempt at a time from numerous addresses.

Looks like it's time to go back to using bad behaviour.

--
Les Bessant les at lcb.me.uk
Losing it - http://losingit.me.uk/
Les Bessant Photography - http://lesbessant-photography.co.uk



On 11 Jul 2013, at 22:12, Nicolás Badano <nicobadano at gmail.com> wrote:

> We too have been having quite a headache with the bot attacks recently. In our case, what we did was installing the wp-fail2ban plugin (no more than two lines of code that log unsuccessful login attempts in the auth.log file) and configured fail2ban to monitor that logfile with the regex included in the plugin. Three failed logins, and we shut down the server for that IP (Deny from XX.XXX.XXX.XXX in the main .htaccess). An iptables ban would probably accomplish the same thing, or the denyhosts action. As we don't have an admin or administrator account, we are looking into banning tries using those accounts right away from the first try, but I don't have code for that just yet.
> 
> It's less sophisticated than stopping the botnet on its tracks by identifying a pattern (that would be GREAT) but it did help containing the bot invasion. We are not getting that many failed logins these days. I like how the Project Honey Pot looks like though: I'll probably give it a try, specially if it doesn't hurt performance too much.
> 
> My two cents!
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list