Menu
▾
▴
Re: [Fail2ban-users] What's best practice for a brute force http attack?
|
From: Colin G. <col...@ma...> - 2014-07-25 22:19:17
|
Single/distributed issues aside, is my understanding of F2B correct in that 'banned' IPs result in any further requests from them (for the banning period) will not get through to apache? If so, that should reduce the load on the server directly. I don't understand ipsets etc. to know how this works, but I guess I will be finding out soon enough. I have a separate firewall next to my server, but I don't know if I could set an action that will send a request to the firewall to block an IP. Colin G On 7/25/14, 4:56 PM, Gregory Sloop wrote: > Re: [Fail2ban-users] What's best practice for a brute force http > attack? Top posting... > > There are utilities specifically for WP, that will mitigate > brute-force logins etc. > Again though, these may have limited impact since the attacks likely > aren't coming from a single location, but from virtually anywhere. > [And some of the attacks appear to use vulnerabilities in the plug-ins > to inject PHP files/code directly - so nothing F2B offers would help, > if you're vulnerable - and it's superfluous if you're not.] > > All these utilities tend to block IP's, not the "attacker" per-se, and > F2B does the same. It's a useful tool, but it only addresses > identifiable attacks that come from a particular IP. [Again, that's > good, but it may not help all that much, depending on the situation.] > > F2B will help stop attacks that target low-lying fruit - say > compromising user accounts with bad/weak passwords. And that's > valuable. But some kinds of probes are just "noise" and trying to stop > them all may drive you nutty, or use resources better spent elsewhere etc. > > --- > I went back and looked at your initial post. You might consider swatch > [Simple Log Watcher] - which will email/alert you when certain a > regex appears in the configured log file. Then, after seeing enough > examples to craft it to match a real world threat that actually > occurs, you can take that and build a F2B rule for it. > > You can do the same by closely reviewing the logs you currently have, > if you can tell a pattern that identifies an attack, vs. normal usage. > > [But as to particular/specific filters to use, I really don't have an > answer.] > > -Greg > > > > > Thanks for this - I appreciate it and in fact do need to update WP > and plugins. > > But it also seems to me that updating WP will not stop these attackers > from trying anyway. What do I do about that? > > Colin G > > On 7/25/14, 3:53 PM, Gregory Sloop wrote: > Re: [Fail2ban-users] What's best practice for a brute force http > attack? Just FYI, as it doesn't address your real query, but it might > be a better base problem to deal with. > > 1) There are a very large set of issues currently out there impacting > wordpress and wordpress plugins. > The attacks you're seeing are very likely automated attacks against > known WP and/or WP Plugins with vulns. > > 2) While it would be handy to prevent these attempts from occurring, > they're probably distributed attacks and blocking them, one IP at a > time is probably not going to help your defenses much. [i.e. Thousands > or tens-of-thousands of bots are roaming about, looking for vulnerable > sites, and blocking one at a time won't help much when there's 10K > "attackers."] > > 3) Make absolutely sure you stay up-to-date with WP releases that > address security issues, and all add-ins/plug-ins too. [In my > experience, the plug-in's are WAY MORE likely to get attacks than WP > itself, and are a lot harder to keep up-to-date, as there are odd > interactions that can occur with X-version of a plug-in and X-version > of WPress.] > > So, given all that - I'd say, go ahead and see if blocking these > attacks helps [or makes you feel better] ...but before you waste any > time doing so, make sure WP and all plug-ins are always up-to-date. > Subscribing to security announce lists etc will be really helpful in > that regard. > > Once that's done, then F2B might be helpful. In many cases it's really > only a modest tool in helping address an overall plan for security, > but distributed attacks limit it's effectiveness and if the underlying > systems aren't vulnerable in the first place it's, perhaps, wasted > effort. [Wasted is probably too strong a word, but I think you get the > idea.] > > I say all the above, handling IT and security for quite a number of > clients, and having one of my clients repeatedly have their WP site, > developed by another consultant, get repeatedly penetrated. [And > having to clean up the spam mess that resulted.] Securing WPress was > the key - and running security things like F2B are, IMO, frosting on > the cake. > > Just my two cents - feel free to ignore if you wish. :) > > -Greg > > > |