Continuous Security Logs Due To Same Hacker

[Diane Schroeder]

Is there any way to block a hacker from causing continuous security logs?  I’ve had at least 10 security logs received today with the same hacker’s attempts:

[403 GET / HEAD Request: March 28, 2014 - 2:01 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 173.199.158.232
Host Name: host.wesource.com
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT:

A couple of times, I’ve had to go in and manually delete the security logs, since they were too large.  I realize BPS is doing a great job stopping this hacker, but can I do anything to force a permanent block?  It has been taking a lot of my time just to review all of the files to confirm it is multiple instances of the same hacker attempting access.  I am not real familiar with BPS or WP, but am willing to try anything to stop this person.

Please advise.

[AITpro Admin]

This is a standard Brute Force Login Attack.  3 things make that obvious:  SERVER_PROTOCOL: HTTP/1.0 is being used instead of HTTP/1.1, the User Agent is blank and the Request URI is your login page.

A 403 HTTP Response Status code means the hacker was blocked.  If you do not want to keep track of blocked hackers, spammers, scrapers, bad bots, etc being blocked and logged you can turn off Security Logging.  This just means do not log these events and does not mean you are turning off your security.

[AITpro Admin]

We rarely look at our zipped security log files and use an Outlook Rule to automatically send them to a group mailbox folder.  Every once in a while we use an automated script that strips out all the common log entries, which leaves us with only new/different log entries and then look through them for any new attack types/vectors/methods.  We get between 300,000 – 400,000 hacking attempts per month so that would be full-time job trying to keep track of that silly stuff.

[Diane Schroeder]

Thank you for your response, and thank God for BPS!  I would have been hacked on multiple sites without it.

If I turn off error logging, doesn’t that turn off all logging?  Aren’t there some errors I will want to investigate?  Is there a way to turn off logging of just BFHS events from the same IP address?

Thanks!

[AITpro Admin]

I think creating backend filters would actually make things more complicated, but we will take another look at this.  The idea behind automatically zipping and emailing log files is it is hands off and done automatically by BPS without requiring any of your attention.

To be honest with you since the Security Log is also a diagnostic/troubleshooting tool you can use it like this.  You install a new plugin and something appears to be blocked by BPS.  You would turn on Security Logging to check that.  If BPS is blocking something then what is being blocked will always be logged.  A whitelist rule can then be created.  You would test everything and if you do not see any new Security Log entries then you would turn off Security Logging again.  If BPS is blocking something this is going to be a one-time event thing.  Once “fixed” (creating a whitelist/allow rule) that problem would never occur again.

[Diane Schroeder]

What would be a sign, after installing a new plugin (or perhaps upgrading a plugin), that “something appears to be blocked by BPS”?   What would I look for that would suggest I should turn on the logging again?

Thanks!

[AITpro Admin]

The better approach is this.  You install a new plugin and you want to check that BPS is not blocking anything in that plugin.  You would turn on Security logging and check that plugin’s functionality.  The chance that BPS is blocking something in another plugin is around .2%.  That number comes from dividing the total number of WordPress plugins which is around 30,000 plugins by the total number of documented known plugin issues which is around 60 total over the last 4 years.  You end up with a .2% chance that BPS will block anything in any of your plugins.

You can search this Forum by searching for a plugin’s name to find any documented issues with the “fix” (whitelist rule) for that plugin.  If you do not find that plugin in this Forum then there are no known issues.  If this is a new plugin that was just created then maybe we have not documented anything for that plugin.  In any case, the general idea is it is a very rare occurrence that BPS is blocking something in another plugin.  If BPS is blocking something in another plugin then it is documented with the whitelist rule that needs to be added to Custom Code, which is a one-time “fix”.

[Diane Schroeder]

Thanks so much for the information.  I have turned off the error logging, since this hacker is still trying to get into my website.  If/when I install new plugins, I will turn the error logging on again.

Thanks for your time.

[Author]

Posts