Accueil > Logiciel, Réseau, Sécurité > Detect and Block WordPress Brute Force Login Attacks

Detect and Block WordPress Brute Force Login Attacks

25/09/2023 Categories: Logiciel, Réseau, Sécurité Tags: , , , , ,
Print Friendly, PDF & Email

detect and block wordpress brute forceIf you run a wordpress blog these days, you are likely to experience brute force attacks where nefarious individuals attempt to break in to your website by quickly a list of userids and passwords against your wp-login.php.  Here’s how I automated detection and blocking of WordPress brute force login attacks.

Detecting a WordPress Brute Force Attack

One can typically detect a wordpress brute force attack by parsing through your webserver’s access_log file.  The access_log file records all of the access requests that a web server handles.  A brute force attack typically will have frequent and numerous attempts to the wp-login.php file as shown below:

Example:  In the access_log file below, we detect a brute force login attack on our WordPress blog.  We detected it by noticing frequent and constant requests to the wp-login.php file.

31.192.210.159 - - [11/Sep/2014:02:01:43 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:44 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:45 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:47 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:49 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:50 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:51 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:52 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:54 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"
31.192.210.159 - - [11/Sep/2014:02:01:55 +0000] "POST http://www.uptimemadeeasy.com/wp-login.php HTTP/1.1" 200 3389 "http://www.uptimemadeeasy.com/wp-login.php" "Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

Typically in an event like this, I lookup the IP address in the ARIN database as I showed in a previous article:  What Personal Information Can You Get From Your Web Server?  Frequently, I find that the address is from APAC or RIPE addresses.

Lire aussi:  How to protect from port scanning and smurf attack in Linux Server by iptables

Blocking Brute Force Login Attacks with Iptables

Obviously, we do not want to let this address continue to pound our wp-login.php with failed logins.  We need to block it.  One method that we can use to block this attack is to add a rule into iptables to block traffic from this Ip Address.
Example:  Block an Attackers IP Address in iptables.  

$ sudo iptable -A INPUT -s 31.192.210.159/32 -j DROP

This rule will start blocking the WordPress brute force attack.  As fun as that was, it may get a bit laborious to watch and do this manually.  We can create a script to check for these brute force attacks and block them automatically.

Automating Brute Force Attack Detection and Blocking with a Script

So, in an effort to automate my WordPress brute force attack detection and blocking, I wrote the script below.  It will log events using the syslog facility and text me when it detects an event.  Hopefully, it will help somebody else.

#!/bin/bash
# Capture the input variables
ACCESSLOG=$1
THRESHOLD=$2

# Restart iptables to be sure that only saved rules are recreated later
/sbin/service iptables restart

# First, we need to get the last 1 hour of transaction the logs:
# get the line number from the access_log file 1 hour ago.
HOURAGO=`date +%d/%b/%Y:%H -d "1 hour ago"`

# Now, get the line from the access_log from one hour ago
LINENUM=`/bin/grep -n ${HOURAGO} ${ACCESSLOG} | head -1 | awk -F':' '{print $1}'`

# Use the line number from 1 hour ago, to get all the transactions from
# then until now into a temporary log
TMPLOG=.tmpaccess_log_lasthourreport_`date +%d-%b-%Y-%H`.log
/bin/sed -n "${LINENUM},\$p" ${ACCESSLOG} > $TMPLOG

# Now, get all of the IP Addresses that have accessed wp-login.php
IPADDRESSES=(`/bin/grep wp-login.php ${TMPLOG} | /bin/awk '{print $1}' | sort | uniq -c | sort -rn | awk '{printf "%s:%s\n", $1, $2}'`)

# Now that we have our list of addresses, we need to create iptables rules for the eggregious offenders - those over our threshold

for i in "${IPADDRESSES[@]}"
do
 TIMES=`/bin/echo $i | /bin/awk -F":" '{print $1}'`
 IPADDRESS=`/bin/echo $i | /bin/awk -F":" '{print $2}'`
 if [ ${TIMES} -ge ${THRESHOLD} ]
 then
 echo "Attack Detected: ${IPADDRESS} had ${TIMES} instances! "
 # Verify that the address hasn't already been added to iptables
 if ! grep -q ${IPADDRESS} /etc/sysconfig/iptables
 then
 # Add an iptables firewall rule
 /sbin/iptables -I INPUT -s ${IPADDRESS} -j DROP
 # Log this event using the syslog facility
 /usr/bin/logger -p local0.info -t "- $0 detected WordPress brute force attack from ${IPADDRESS}. Blocking this address in iptables."
 # Send an alert to my cell phone
 /bin/echo "`hostname` WordPress Brute force attack detected from ${IPADDRESS}." | /usr/bin/mutt -s "WP Brute Force Attack Detected" 8011234567@txt.att.net
 fi
 fi
done

# Save our rules!
/sbin/service iptables save

# Now for a little cleanup
rm -f ${TMPLOG}

Here is how it is run:

$ sudo ./findattacks.sh <path to access_log file> <threshold>

where threshold is the number of matching lines in the access_log before it is enough to trigger a block.
Remember to cron it to make it automated:

*/20 * * * * /usr/local/sbin/findattacks.sh /var/log/varnish/varnishncsa.log 200

This script has protected me from a bunch of brute force attacks.  I hope that this script helps you Detect and Block WordPress Brute Force Login Attacks on your website.

Lire aussi:  Bandwidth monitoring with iptables

Source: uptimemadeeasy.comJeff Staten

Categories: Logiciel, Réseau, Sécurité Tags: , , , , ,
Les commentaires sont fermés.