Hacker bots are irritating. A web server or some other server online gets hacked, malware gets installed and suddenly the server starts attacking other servers.
Here’s an example of a “POST” to jam in WordPress logon credentials, a.k.a “Brute Force” your logon:
124.123.76.91 – – [11/Aug/2016:16:30:48 -0400] “POST /wp-login.php HTTP/1.1″ 200 1571 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1”
If you see the line “POST /wp-login.php“in your web server logs and it’s a foreign IP address then that’s what’s happening…a brute force attempt.
If you have a WordPress site WordPress has some guidance to secure your site here: https://codex.wordpress.org/Brute_Force_Attacks
…it’s not all “gospel” though. They do make a funny comment too:
“It appears that most brute force attacks are from hosts from Russia, Kazachstan and Ukraine.” That’s not actually true, they come from EVERYWHERE! The US is one of the biggest abusers too!
Today; I have at the time of starting to write this post about 10 or so attacks. I mitigated the attacks a few hours later because I:
- Added their networks to the firewall
- Reported their IP’s to the abuse addresses
- If I couldn’t find an abuse address I’d have to spend time finding one and then report them
…and eventually, their childish antics stopped. What it was though in the end were about 50 servers / IP’s from various countries all trying to brute force crack the logon on a website I manage. If it were thousands or millions it might have brought my server to its knees begging for mercy.
Ain’t gonna happen hacker losers! Nice try! Instead I cut you off at the knees first hitting it with my baseball bat (firewall), then while you’re crippled I reported you to the police to go get you (your ISP) who can cut your connection in whole so you no longer have any access to the Internet.
The IP networks attacking today with this method are (far more serious, scroll down!):
79.126.192.0/18
92.100.0.0/16
124.123.64.0/19
82.217.128.0/17
83.208.64.0/18
85.186.128.0/17
189.32.192.0/18
79.112.0.0/13
190.188.128.0/19
2.27.0.0/16
88.120.0.0/13
84.108.48.0/20
125.136.0.0/13
203.87.240.0/20
5.2.128.0/17
95.30.0.0/15
49.128.167.0/24
202.142.77.0/24
83.47.0.0/16
39.45.128.0/17
80.242.96.0/22
191.32.128.0/19
93.173.0.0/16
104.176.0.0/12
201.20.80.0/20
93.171.155.0/24
109.92.0.0/15
78.160.128.0/17
211.129.0.0/16
1.22.144.0/21
185.88.24.0/22
46.164.0.0/18
89.80.0.0/12
78.129.0.0/17
67.193.0.0/16
88.7.0.0/16
49.32.52.0/24
112.203.0.0/19
193.77.128.0/18
78.1.0.0/16
79.180.0.0/18
105.156.176.0/21
2.90.0.0/17
…a hodge podge of IP’s from Russia, Japan, Pakistan, the UK and other EU countries and one from ATT in the US. I like to block entire networks and not individual IP’s because if you have one dirty server on a network there are bound to be more. Where there is smoke…someone’s high 😛
Update after 24 hours!
Although bots don’t need rest I do so after going to bed and waking up the next day I have about 200+ email alerts in my email about the hacker bot losers trying to gain access to my site with the brute force attempts again!
I had to write a little script with a cron that runs every minute. The attacks keep on coming so I’ve garnered the attention of the bot collective but resistance isn’t futile!
Here’s my script which can be improved upon and I’ll do so when I get the chance. I might try to turn it into a daemon with a white list and block list. One of the problems with doing a whois lookup is that the whois information isn’t accurate, it’s a real mess. Some people have CIDR or Network and some don’t have any information at all. I’d like to do a whois, find the CIDR (Network address block) and block the entire network not the IP but I’ll live with just the IP.
The other weakness with this script is that any legitimate person logging into their WordPress admin portal will get blocked. Again, I need to add a white list to ignore.
Here’s the script that runs every one minute: (note that this script has been updated and commented with the #)
cat /yourlogfile/here.log /anotherlogfile/here.log | grep wp-login | awk -F’-‘ ‘{print $1}’ | awk ‘!seen[$0]++’ > /wherever/you/want/your/output/hackers.txt
for hackers in $(cat /wherever/you/want/your/output/hackers.txt)
# This firewall command is only for CentOS, if you use a different firewall you’ll
# need to put your firewall command in there!
do firewall-cmd –permanent –zone=public –add-hackers-rule=’rule family=”ipv4″ source address=’$hackers’ reject’
done
What that script does then is cat’s any number of log files (apache log files and if you do virtual hosting you’ll need all your vhost log files) then dumps the cleaned IP information from anyone touching the “wp-login” or wp-login.php file that’s used for brute forcing by the hacker loser bots.
Once in the “hackers.txt” file we tell our script now “do” this command, that’s our firewall-cmd command – that happens to be the firewall command on the CentOS server I have running to add each IP found in the line to the firewall rule for the assholes 🙂
I’ve also updated this script to now use ipsets instead of ip tables. You first have to create your ipset hash:
firewall-cmd –permanent –new-ipset=hackers –type=hash:ip
firewall-cmd –reload
firewall-cmd –add-rich-rule=’rule source ipset=hackers drop’
This is a firewall command says create a permanent ipset called “hackers”, we then reload the firewall daemon. We then say drop anything matching the ipset of “hackers” and below we add hackers to the hackers IP set with another firwall-cmd.
Then you can add your ipset command to the ipset “bucket”:
for hackers in $(cat /wherever/you/want/your/output/hackers.txt)
do firewall-cmd –ipset=hackers –add-entry=$hackers
done
firewall-cmd –runtime-to-permanent
You can add things manually or delete them manually if you so desire, the changes are immediate:
Adding an entry: firewall-cmd –ipset=blacklist –add-entry=192.168.1.4
Removing an entry: firewall-cmd –ipset=blacklist –remove-entry=192.168.1.4
Although this is reactionary, it will prevent attackers from trying to brute force you on that IP address more than the one time for the entire server. You can use a WordPress application like WordFence or IQ Country Block (and I recommend them both) however those only monitor one single site and not the entire server. If the firewall sees the IP in the list already it will just echo out that the rule already exists and will move on down the road to the next one. Because on my server the log files are cycled every 24 hours the list shouldn’t get too large in a 24 hour period and should do fine with a 1 minutes cron time although I’ve now changed this to 1 hour. I also added blocking CIDR and network with this commend:
do whois -h whois.arin.net $hacker | grep CIDR | cut -d ‘:’ -f2 >> /wherever/you/want/your/output/hackers.txt
The above might also need some “cleanup” because not all whois lookups return clean results and you get some funky characters inline with the IP’s:
cat /wherever/you/want/your/output/hackers.txt | cat /wherever/you/want/your/output/hackers.txt | tr -d “%” | tr -d “provider” | tr -d “cntact hanl (ID) ” | tr -d “CRbk” | tr -d “PASN” | tr -d “Os” | tr -d “s” | tr -d “w” | tr “,” “\n” | awk NF | sort -u > /wherever/you/want/your/output/hackers.clean.txt
You might want to monitor it though. As the firewall keeps adding hosts (IPs) things will die down so you might want to adjust it to once every 10 minutes or every hour like I did until the attackers are gone. Then you can disable the cron task all together until next time or just lengthen the time by which it runs. I have one job (not this one) that only runs once per day and another that runs once per week.