Receiving several Security Log zip file emails very frequently – brute force attack

[Chris Moon]

Hi,

I’ve recently been getting a stream of security logs from a test site, there is a reoccurring pattern at one minute intervals alternating between 2 IP’s. It seems to me that something on the site is now triggering the security log but I cannot fathom out what it might be. How do I troubleshoot?

regards,
Chris

[AITpro Admin]

Send one of your Security Log zip files to: info at ait-pro dot com so we can take a look at it.

[AITpro Admin]

I received your Security Log zip file.  Your site is being brute force attacked at a rate of 160 attacks per minute|2.7 attacks per second.  This is a relatively low|mild brute force attack.  A moderate brute force attack would be 1200 attacks per minute|20 attacks per second.  A heavy|extreme brute force attack would be 6000 attacks per minute|100 attacks per second.

BPS Pro Login Security and JTC Anti-Spam|Anti-Hacker are both designed to stop brute force attacks in a way that do not cause any significant server or website resource usage.  Each individual brute force attack is killed before database/login connection processing occurs.  When a brute force attack is occurring you can expect to receive more automated Security Log zip file emails since more Security Log entries are being created during the attack.  Brute force attacks can last several days.  When the brute force attack ends you will receive a “normal” amount of automated Security Log zip file emails again.  Since all BPS Pro log file handling is automated you do not need to do anything else.  Since BPS Pro is designed specifically to handle brute force attacks you do not need to do anything else.

Side Note:  Several people have sent me a link to a website that makes this incorrect/invalid claim below.  The incorrect/invalid statement below could not be more wrong.  Brute force login attacks make up the largest percentage of website attacks by far.  Since brute force attacks occur more frequently than any other type of attack and are constantly increasing then I would estimate that brute force attacks make up 85% or more (probably actually 90% to 95%) of all website attacks.  Or in other words, when I tally up the total number of blocked and logged brute force attacks vs all the other types of blocked and logged attacks in our Security Logs, 85% or more of the Security Log file entries are blocked and logged brute force attacks.  So Login Security that has brute force protection capability is the #1 most important and essential website security protection measure that every website should have.

Almost all the WordPress security plugins focus mainly on login security. But statistics indicate that brute force login attacks make up a very small percentage of attacks.

[Chris Moon]

Thanks I appreciate your informative answer.

[Chris Moon]

Hi,

My site is under attack and I would like to exclude the hacker from being logged in the Security log however there is no user agent string I’ve tried adding the IP and the Hostname to the Add/Ignore rules which doesn’t help. What would you advise?

[403 GET / HEAD Request: 24/05/2015 - 07:21]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 46.105.100.122
Host Name: ns382587.ip-46-105-100.eu
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT:

regards,
Chris

[Chris Moon]

ok thanks for your reply but this is an old site running the same plugins/theme for over a year which is suddenly seeing a stream of login attempts from the same IP. The security log was over 2Mb withing 20 hours.

[AITpro Admin]

Brute force attacks come and go in waves and in general brute force attacks have been increasing in frequency and volume since early 2014 and will continue to increase.  You do not need to do anything and can let the automated log file handling in BPS Pro handle everything.  If this is an old site then you should have the most current version of BPS Pro installed on the site:  10.3.  Upgrade to 10.3 if you have an older version of BPS Pro installed on the site.  BPS Pro Security Log files are the same thing as your Server Log files – they log events since that is what log files are designed to do.

[Author]

Posts