Dropbear

WordPress password bots

Written by

dropbear

in

Browsing through my logs I noticed that one particular IP address was continuously trying to go to wp-login.php After a few more greps, it seems he really likes this URL. So, Mr 37.115.188.210 congratulations for testing a few things and welcome to the blocklist.

I love fail2ban, but initially I didn’t have it for the wordpress login. That needed to get fixed real quick, so a visit to the wordpress plugins site and we have WP fail2ban up and running.

And doesn’t it work well:

2013-11-21 22:54:47,742 fail2ban.actions: WARNING [wordpress] Ban 37.115.188.210
2013-11-21 22:58:29,037 fail2ban.actions: WARNING [wordpress] Unban 37.115.188.210
2013-11-21 22:58:39,450 fail2ban.actions: WARNING [wordpress] Ban 37.115.188.210
2013-11-21 23:08:40,164 fail2ban.actions: WARNING [wordpress] Unban 37.115.188.210
2013-11-21 23:09:27,241 fail2ban.actions: WARNING [wordpress] Ban 37.115.188.210
2013-11-21 23:19:27,919 fail2ban.actions: WARNING [wordpress] Unban 37.115.188.210
2013-11-21 23:20:09,991 fail2ban.actions: WARNING [wordpress] Ban 37.115.188.210
2013-11-21 23:30:10,689 fail2ban.actions: WARNING [wordpress] Unban 37.115.188.210

You get the idea! I’ve sent a message off to the responsible ISP, we’ll see how that goes.

Comments

5 responses to “WordPress password bots”

  1. Steven C. Avatar
    Steven C.

    I think you may run into issues soon, you were probably just lucky to stay off their radar until now.

    I’ve seen this activity since April, from botnets with as many as 50,000+ hosts in each. It becomes impractical to use individual iptables rules, and I think even xt_recent has an upper limit of 32768. And besides, you’d still get hit by 50,000 login attempts before all hosts are blocked, and there’s a constant turnover of zombie hosts coming/going/changing IP.

    Reply
    1. Craig Avatar
      Craig

      fail2ban will probably take care of most of them as its a five minute thing. It’s like those email bots that attempt to guess username and domain combinations. This one was particularly persistent so he got a permanent block.
      If it becomes a large problem, I’ll use some geoblock thing.

      Reply
    2. Craig Avatar
      Craig

      fail2ban will probably take care of most of them as its a five minute thing. It’s like those email bots that attempt to guess username and domain combinations. This one was particularly persistent so he got a permanent block.
      If it becomes a large problem, I’ll use some geoblock thing; I’m lucky in that I know generally who needs to get to what parts of the website.

      Reply
  2. Craig Avatar
    Craig

    The ISP Kyivstar got back to me and said their experts looked into it and basically they’re doing nothing and I should contact the police in my country. I think this shows why Ukraine has such a bad reputation on The Internet for hacking, they just do nothing.

    You’d think at least they would let their user know they might want to check their computer.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts