Support

 I'm getting login dictionary attacks at the rate of about every two minutes from IP addresses in the Russian Federation. I am assuming it is a bot judging from the frequency. I'm getting email notifications. This has been going on for about 24 hours.

I'm reasonably sure that Admin Tools is deflecting the attacks.

I'm using the secret word to protect the admin directory. I'm the only user. The IP address I use to access is the site whitelist.

The attacks are coming from a different IP address each time and I am unable to track the IP owner (not suprised either)

I thought it might be a good idea to log the IP addresses even though I am reasonably sure Admin Tools is blocking them. However, in the section of WAF configuration where it shows do not log the reasons, it shows Do not log GeoIP. When I uncheck that option in both places and save the configuration, nothing happens. It still shows that Admin Tools is not logging attacks from IP addresses in the GeoIP database even though Admin Tools is repelling the attacks.

I use the GeoIP database, but the assessment you made in the docs is correct. It doesn't stop the attacks.

Am I missing something here? Is there something else I should be doing?

Not logging the GeoIP blocks is a default setting. There could be thousands of these blocks, telling Admin Tools to log them has the potential to act as a denial of service attack on your site. The site is so busy logging GeoIP blocks that it doesn't have time to service legitimate visitors. The size of the log file could be a negative side effect as well.

I agree with your assessment that it is a bot. It is rotating the IP addresses just to avoid the auto IP ban. Generally speaking, hackers don't use their own IP addresses so not being able to track them is not unusual.

If you are seeing the attempts in the Security Exceptions Log, then they were unsuccessful. There are three reasons why they can't log in. They don't know the secret parameter, they don't know the password and they come from the wrong country. I believe that Admin Tools checks the secret password before it checks the GeoIP, so you are always going to see the admin login attempt blocked.

You can't prevent them from trying to hack your site, you can only prevent them from succeeding.

Yes, the originating IP address shows in the exception logs. To be on the safe side I limit the log length to 100 entries and Admin Tools rolls them at 100 so I always have the older logs.

In many previous incidents, I can track the IP owner via http://ip-lookup.net, but that only identifies the owner of the IP address, not always who is using it. I do file abuse reports when the the attacks come from US companies. Sometimes it works, sometimes not. Amazon Web Services is death on hackers using their services. They usually shut them down within minutes of filing an abuse report.

I figure hackers are only renting or leasing IP space w/o a domain name.

This is mostly annoying, but it has its upside,I've learned way more about security just working with Admin Tools.

I think that in even more cases hackers are using "stolen" IP addresses of compromised computers or websites. If they are paying for IP addresses then there has to be some profit motive for cracking the sites. I guess we all have expensive hobbies that we are willing to pay for but paying to set a bot loose trying to crack sites doesn't float my boat.

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.