Receiving several Security Log zip file emails very frequently – brute force attack

Home Forums BulletProof Security Pro Receiving several Security Log zip file emails very frequently – brute force attack

This topic contains 6 replies, has 2 voices, and was last updated by  AITpro Admin 2 years, 11 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #22748

    Chris Moon
    Participant

    Hi,

    I’ve recently been getting a stream of security logs from a test site, there is a reoccurring pattern at one minute intervals alternating between 2 IP’s. It seems to me that something on the site is now triggering the security log but I cannot fathom out what it might be. How do I troubleshoot?

    regards,
    Chris

    #22751

    AITpro Admin
    Keymaster

    Send one of your Security Log zip files to: info at ait-pro dot com so we can take a look at it.

    #22773

    AITpro Admin
    Keymaster

    I received your Security Log zip file.  Your site is being brute force attacked at a rate of 160 attacks per minute|2.7 attacks per second.  This is a relatively low|mild brute force attack.  A moderate brute force attack would be 1200 attacks per minute|20 attacks per second.  A heavy|extreme brute force attack would be 6000 attacks per minute|100 attacks per second.

    BPS Pro Login Security and JTC Anti-Spam|Anti-Hacker are both designed to stop brute force attacks in a way that do not cause any significant server or website resource usage.  Each individual brute force attack is killed before database/login connection processing occurs.  When a brute force attack is occurring you can expect to receive more automated Security Log zip file emails since more Security Log entries are being created during the attack.  Brute force attacks can last several days.  When the brute force attack ends you will receive a “normal” amount of automated Security Log zip file emails again.  Since all BPS Pro log file handling is automated you do not need to do anything else.  Since BPS Pro is designed specifically to handle brute force attacks you do not need to do anything else.

    Side Note:  Several people have sent me a link to a website that makes this incorrect/invalid claim below.  The incorrect/invalid statement below could not be more wrong.  Brute force login attacks make up the largest percentage of website attacks by far.  Since brute force attacks occur more frequently than any other type of attack and are constantly increasing then I would estimate that brute force attacks make up 85% or more (probably actually 90% to 95%) of all website attacks.  Or in other words, when I tally up the total number of blocked and logged brute force attacks vs all the other types of blocked and logged attacks in our Security Logs, 85% or more of the Security Log file entries are blocked and logged brute force attacks.  So Login Security that has brute force protection capability is the #1 most important and essential website security protection measure that every website should have.

    Almost all the WordPress security plugins focus mainly on login security. But statistics indicate that brute force login attacks make up a very small percentage of attacks.

    #22818

    Chris Moon
    Participant

    Thanks I appreciate your informative answer.

    #22982

    Chris Moon
    Participant

    Hi,

    My site is under attack and I would like to exclude the hacker from being logged in the Security log however there is no user agent string I’ve tried adding the IP and the Hostname to the Add/Ignore rules which doesn’t help. What would you advise?

    [403 GET / HEAD Request: 24/05/2015 - 07:21]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 46.105.100.122
    Host Name: ns382587.ip-46-105-100.eu
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT:

    regards,
    Chris

    #22984

    Chris Moon
    Participant

    ok thanks for your reply but this is an old site running the same plugins/theme for over a year which is suddenly seeing a stream of login attempts from the same IP. The security log was over 2Mb withing 20 hours.

    #22997

    AITpro Admin
    Keymaster

    Brute force attacks come and go in waves and in general brute force attacks have been increasing in frequency and volume since early 2014 and will continue to increase.  You do not need to do anything and can let the automated log file handling in BPS Pro handle everything.  If this is an old site then you should have the most current version of BPS Pro installed on the site:  10.3.  Upgrade to 10.3 if you have an older version of BPS Pro installed on the site.  BPS Pro Security Log files are the same thing as your Server Log files – they log events since that is what log files are designed to do.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.