Sick of botnets? This might help… (Not a support request.)
-
So, plenty of us have gotten hammered by botnets recently. Using fail2ban and this plugin does help, but a lot of us still have a problem. I’m getting hit by thousands of different IPs a day and they are only reusing the IPs once or twice. The login requests themselves are relatively resource intensive and, when enough come all at once, they can bring a small server to its knees pretty quickly.
There are some suggestions out there for using mod_rewrite and checking referrer and/or IP address but they all have their drawbacks. (Just try getting it right with multi-siting, multiple users, and a CDN or two.)
Here’s what I did… I added the following to wp-fail2ban.php:
add_filter('authenticate', function($user, $username, $password) { if ( preg_match('/^adm.*/i', $username) ) { openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH); syslog(LOG_NOTICE,"Authentication failure for $username from {$_SERVER['REMOTE_ADDR']}"); die; } else { return $user; } }, 1, 3);
It’s admittedly just a hack. And it’s based on the fact that somewhere north of 99.9% of the attacks I’ve seen are aimed at the “admin” user and another .09% are aimed at users like ‘adminadmin’, ‘Administrator’, and ‘adm’. (Of course, I don’t have any valid admin users with obvious usernames like that, so this works for me.)
Maybe I should send back a 403 or something, but immediately dying works fine as these aren’t real users anyway.
The reason I modified wp-fail2ban.php rather than just add this as a separate plugin is because I still want to log the failures–I blacklist these IPs–and it seemed reasonable to do it all in one place.
- The topic ‘Sick of botnets? This might help… (Not a support request.)’ is closed to new replies.