awyork
Forum Replies Created
-
Fair enough. I guess there must be a technical reason. It should block though.
Truncate is a DDL command vs a DML command. Those commands take elevated privileges. Does the user account have the right permissions?
Some databases have a safe delete mode and require another step to get mass delete commands to work. This can be turned on/off. (This shouldn’t be a problem with truncate though.)
It’s possible you truncate command will cause a foreign key constraint violation. (This might be the problem you’re seeing.)Here’s another hour long attack that had to be manually blocked. The user name was “user”.
It was blocked by the global firewall at 4:15:16 AM (the last three numbers are 503) but
the rest were allowed. The “user” account should have been blocked the first time.
These attempts are about 2 minutes apart.
The brute force settings are 7 attempts over 2 hours.
The bulk force lockout is 4 hours.
The FW lockout is 6 hours.
The Wordfence “global” block was only good for 10 minutes. Then the attacker came back.
This is at least the 3rd of these attack patterns.
These attacks seem to be targeted to Wordfence. The attacker waits 10 minutes when the
“global” block happens.
“global” = blocked by the Wordfence Security Network
The WAF does not seem to want to apply to the username “user” at all. There is an account
in WP that has that name but it’s set to no permissions.
I tried with a user “xxxx” and was rejected after 7 bad passwords, but when the username
“xxxx” is in the block immediately list, the username “xxxx” was not blocked on the first
attempt. The immediate block only seems to work for invalid users.
It looks like I am seeing two different problems.
Sorry for the formatting. This is a copy/paste of the Live Traffic Screen. I cannot find
a useful export option. I’ve added spaces to the first line. I also added spaced where
the attack was blocked by the “Global” FW rule for 10 minutes.
Something is clearly not working correctly. It does not seem to be a configuration issue.
Amsterdam, The Netherlands /wp-login.php 9/3/2025 4:43:15 AM 178.16.53.98 178.16.53.98 200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:41:19 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:39:24 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:37:33 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:35:43 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:33:53 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:32:04 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:30:13 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:28:23 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:28:23 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:26:30 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands /wp-login.php 9/3/2025 4:15:16 AM 178.16.53.98 178.16.53.98 503
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:13:23 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:11:28 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:09:36 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:07:48 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:05:59 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:04:15 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:04:15 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:02:29 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 4:00:35 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:58:44 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:56:59 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:55:20 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:53:40 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:52:01 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:50:23 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:48:44 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:47:06 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:45:22 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:45:22 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:43:37 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:41:57 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:40:21 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:38:47 AM178.16.53.98178.16.53.98200
Amsterdam, The Netherlands/wp-login.php9/3/2025 3:37:13 AM178.16.53.98178.16.53.98200- This reply was modified 7 months ago by awyork. Reason: Trying to fix the formatting but WP is fighting me too hard
Didn’t try. Per the documentation on Bitnami, the file I edited did the job.
Some plugins, during their installation, create a .htaccess file in either the /opt/bitnami/APPNAME/ or in the /opt/bitnami/apps/APPNAME/plugins/ directory that cannot be read by Apache. For that reason, we recommend moving the content of that file to the /opt/bitnami/apache/conf/vhosts/htaccess/APPNAME-htaccess.conf file.
https://docs.bitnami.com/aws/apps/wordpress/administration/use-htaccess/That IP lockout is set to six hours. Based on the logs it’s not following this rule as each log entry is only 5 minutes apart. It’s clearly not getting blocked. There are no entries saying it was actually blocked. I tested and it’s not blocking “user”. Anything else in that list gets immediately blocked. As the rule suggest.
It says “Unblock IP” because I manually added a permanent block.
- This reply was modified 7 months ago by awyork.
I’ve tested with a phone and a different browser. It pulled up both times for me. Flickr has become spammy.
I saw something similar. The IP was blocked then the block was released:
https://flic.kr/p/2rr4EHmSounds like your IP changes a lot or you’re using NAT and effectively sharing your IP with other users on your network. If anyone on a NAT network also tries to login, they will also increase the failed login attempts. If you are whitelisting your IP and using NAT then make sure its the public IP you whitelist.