Support

 Hi there,

This is not strictly a support request but rather a question about people trying to log in to the admin back end.

I have been absolutely shocked to see the number of attempts that have been made! The IP address shows up as trying twice.... Then about an hour later another two attempts. Whoever these people are - they have learned that they get black listed after three attempts - so they only try twice. :-)

Surely no-one at all should be attempting to log in to the admin back end of my site!

Should these repeated attempts not be reported to some law enforcement agency?

My service provider just said there were no "POST" transactions so there was no harm done. This is true - thanks to your Admin Manager and two factor authentication.... but why did anyone even attempt it? Surely they are up to no good?

I assume if they are attempting to log in to my site - then they are attempting to log in to my other sites? Is this not an attempt to gain access to as many sites as possible in order to launch a DOS attack? Do you log these attempted log ins? If you pick up repeated attempts by the same IP address over the many web sites that you protect surely they should be reported to some law enforcement agency? If you need my permission - you absolutely have it!

Kind regards,

Tony Robson.

Tony,

Hackers don't use their own IP addresses. Even if you could get law enforcement interested and they tracked down the computer, all you would find is an innocent victim with a hacked computer. That's why we recommend temporary bans rather than permanent bans on IP addresses.

Yes, someone is trying to access your site for the purpose of taking it over and doing something illegal or immoral. The part that you didn't state is that it probably isn't human, it is a script that hits your site twice then goes on to a thousand other sites before trying yours twice again. And it is going 24 hours a day, 7 days a week. And if you tighten your security enough to ban the IP, the script will just switch to another open proxy server or another compromised computer. You can't stop them from trying, you can only stop them from succeeding. And you are doing a pretty good job of that.

You can add the secret URL parameter to your bag of tricks. It is on the first tab of the WAF Configuration screen. When there is a value in that field, a "password" if you will, then your back end login has to be called in the format: www.mysite.com/administrator/index.php?secret, where "secret" is the value of the field. If they can't find the login screen, it is even harder to log in. This is a pretty passive security layer because you can put the secret parameter in your bookmark and it is invisible to the user.

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.