a positive response

Whenever my logs show evidence of unwanted behaviour I check what has happened and, if I decide there is obviously hostile activity coming from a particular address I will usually bang off an email to the abuse contact for the netblock in question. Most times I never hear a thing back though I occasionally get an automated response.

Today, after finding over 23,000 automated attempts to access the admin page of trivia I sent off my usual notification to the netblock owner (“Hey, spotted this coming from you, a bit annoying”). Within a couple of hours I got an automated acknowledgement asking me to authenticate myself by response. A couple of hours after that, I got a human response saying “We’ve dealt with it. Your address is now blocked”. I’ve never had that helpful a response before.

The ISP was Russian.

Permanent link to this article: https://baldric.net/2012/10/05/a-positive-response/

2 comments

    • David on 2012/10/08 at 11:25 pm

    I have recently started using the “Limit Login Attempts” plugin for WordPress to at least slow these down. Ideally I’d integrate it into fail2ban or denyhosts but I haven’t got that far yet.

    I added one IP (5.39.218.138) to iptables manually after it hit the limit a few too many times, so far I’ve dropped 1456 packets. That’s one persistent bot!

    • Mick on 2012/10/09 at 9:14 pm
      Author

    David

    I’d say over 23,000 failed attempts when it was getting a redirect and ignoring it is both persistent and stupid. But then bots tend to lack intelligence. I actually redirect logins and access to wp-admin to SSL (to protect myself from exposing my passwords), but I also limit access to my home IP address. However, that incident has exposed a flaw in the logic of my lighttpd config which I am still investigating. The bot should have just been refused, but it seems to have been getting an unexpected redirect from somewhere.

    I don’t like fail2ban, because of an [irrational, “old skool”] distaste for setuid scripts. And I try to limit the number of plugins I have for reasons of both security and simplicity.

Comments have been disabled.