Continuous Security Logs Due To Same Hacker

Home Forums BulletProof Security Free Continuous Security Logs Due To Same Hacker

This topic contains 7 replies, has 2 voices, and was last updated by  Diane Schroeder 5 years, 6 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #14294

    Diane Schroeder
    Participant

    Is there any way to block a hacker from causing continuous security logs?  I’ve had at least 10 security logs received today with the same hacker’s attempts:

    [403 GET / HEAD Request: March 28, 2014 - 2:01 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 173.199.158.232
    Host Name: host.wesource.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT:

    A couple of times, I’ve had to go in and manually delete the security logs, since they were too large.  I realize BPS is doing a great job stopping this hacker, but can I do anything to force a permanent block?  It has been taking a lot of my time just to review all of the files to confirm it is multiple instances of the same hacker attempting access.  I am not real familiar with BPS or WP, but am willing to try anything to stop this person.

    Please advise.

    #14296

    AITpro Admin
    Keymaster

    This is a standard Brute Force Login Attack.  3 things make that obvious:  SERVER_PROTOCOL: HTTP/1.0 is being used instead of HTTP/1.1, the User Agent is blank and the Request URI is your login page.

    A 403 HTTP Response Status code means the hacker was blocked.  If you do not want to keep track of blocked hackers, spammers, scrapers, bad bots, etc being blocked and logged you can turn off Security Logging.  This just means do not log these events and does not mean you are turning off your security.

    #14297

    AITpro Admin
    Keymaster

    We rarely look at our zipped security log files and use an Outlook Rule to automatically send them to a group mailbox folder.  Every once in a while we use an automated script that strips out all the common log entries, which leaves us with only new/different log entries and then look through them for any new attack types/vectors/methods.  We get between 300,000 – 400,000 hacking attempts per month so that would be full-time job trying to keep track of that silly stuff.

    #14300

    Diane Schroeder
    Participant

    Thank you for your response, and thank God for BPS!  I would have been hacked on multiple sites without it.

    If I turn off error logging, doesn’t that turn off all logging?  Aren’t there some errors I will want to investigate?  Is there a way to turn off logging of just BFHS events from the same IP address?

    Thanks!

    #14301

    AITpro Admin
    Keymaster

    I think creating backend filters would actually make things more complicated, but we will take another look at this.  The idea behind automatically zipping and emailing log files is it is hands off and done automatically by BPS without requiring any of your attention.

    To be honest with you since the Security Log is also a diagnostic/troubleshooting tool you can use it like this.  You install a new plugin and something appears to be blocked by BPS.  You would turn on Security Logging to check that.  If BPS is blocking something then what is being blocked will always be logged.  A whitelist rule can then be created.  You would test everything and if you do not see any new Security Log entries then you would turn off Security Logging again.  If BPS is blocking something this is going to be a one-time event thing.  Once “fixed” (creating a whitelist/allow rule) that problem would never occur again.

    #14303

    Diane Schroeder
    Participant

    What would be a sign, after installing a new plugin (or perhaps upgrading a plugin), that “something appears to be blocked by BPS”?   What would I look for that would suggest I should turn on the logging again?

    Thanks!

    #14304

    AITpro Admin
    Keymaster

    The better approach is this.  You install a new plugin and you want to check that BPS is not blocking anything in that plugin.  You would turn on Security logging and check that plugin’s functionality.  The chance that BPS is blocking something in another plugin is around .2%.  That number comes from dividing the total number of WordPress plugins which is around 30,000 plugins by the total number of documented known plugin issues which is around 60 total over the last 4 years.  You end up with a .2% chance that BPS will block anything in any of your plugins.

    You can search this Forum by searching for a plugin’s name to find any documented issues with the “fix” (whitelist rule) for that plugin.  If you do not find that plugin in this Forum then there are no known issues.  If this is a new plugin that was just created then maybe we have not documented anything for that plugin.  In any case, the general idea is it is a very rare occurrence that BPS is blocking something in another plugin.  If BPS is blocking something in another plugin then it is documented with the whitelist rule that needs to be added to Custom Code, which is a one-time “fix”.

    #14309

    Diane Schroeder
    Participant

    Thanks so much for the information.  I have turned off the error logging, since this hacker is still trying to get into my website.  If/when I install new plugins, I will turn the error logging on again.

    Thanks for your time.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.