Whenever my logs show evidence of unwanted behaviour I check what has happened and, if I decide there is obviously hostile activity coming from a particular address I will usually bang off an email to the abuse contact for the netblock in question. Most times I never hear a thing back though I occasionally get an automated response.
Today, after finding over 23,000 automated attempts to access the admin page of trivia I sent off my usual notification to the netblock owner (“Hey, spotted this coming from you, a bit annoying”). Within a couple of hours I got an automated acknowledgement asking me to authenticate myself by response. A couple of hours after that, I got a human response saying “We’ve dealt with it. Your address is now blocked”. I’ve never had that helpful a response before.
The ISP was Russian.
2 comments
I have recently started using the “Limit Login Attempts” plugin for WordPress to at least slow these down. Ideally I’d integrate it into fail2ban or denyhosts but I haven’t got that far yet.
I added one IP (5.39.218.138) to iptables manually after it hit the limit a few too many times, so far I’ve dropped 1456 packets. That’s one persistent bot!
Author
David
I’d say over 23,000 failed attempts when it was getting a redirect and ignoring it is both persistent and stupid. But then bots tend to lack intelligence. I actually redirect logins and access to wp-admin to SSL (to protect myself from exposing my passwords), but I also limit access to my home IP address. However, that incident has exposed a flaw in the logic of my lighttpd config which I am still investigating. The bot should have just been refused, but it seems to have been getting an unexpected redirect from somewhere.
I don’t like fail2ban, because of an [irrational, “old skool”] distaste for setuid scripts. And I try to limit the number of plugins I have for reasons of both security and simplicity.