Multiple attempts to hack into wp-login from same IP

[florin]

Hello,

So... it is happening on our servers too ... targeting only WP-login. Just hit about 10 of our servers.

Multiple HTTP requests on wp-login.php. We managed to block the IP's and we also put a "die" in wp-login.php temporarily.

How can we block this ?

[peterelsner]

Here are my settings.

# [*]Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = "5"
LF_MODSEC_PERM = "1"

These IP's do NOT show up in any MOD SEC logs.

Mod Security is NOT catching these since they are only calling a direct link to wordpress login URL's. IE: hXXp://www.domainname.tld/wp-login.php

So Mod Security is not going to help here.
This is an attack that I'm pretty sure csf does not yet detect. That's why I asked if it was possible.

[kdean]

Just adding my voice to those with this issue today. Had major load problems today with this attack. Blocked a bunch of IPs and lowered my FastCGID idle timeout to 120 seconds which seemed to have helped with the load or it's just less right now coincidentally.

[dvk01]

try the mod sec rule on
http://blog.tigertech.net/posts/wordpre ... ty-update/

or http://www.frameloss.org/2011/07/29/sto ... wordpress/

or
http://sourceforge.net/mailarchive/foru ... rity-users

[ljweb]

Yes happening here too, high load due to wp-login.php attempts.. Is there anyway to create a custom rule, to look through the domain logs for multiple wp-login.php attempts and block after 10 or so access attempts from the same IP within 1 min?

[ahsteve]

Almost 50 servers were under attack in the same way. The numbers are common 2136 hits for a domain from an ip.

93.142.203.126 - - [09/Apr/2013:13:50:26 -0400] "POST /wp-login.php HTTP/1.1" 200 3840 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:16.0.1) Gecko/20121011 Firefox/16.0.1"

93.142.203.126 - - [09/Apr/2013:13:50:26 -0400] "POST /wp-login.php HTTP/1.1" 200 3840 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1309.0 Safari/537.17"

IP are from different locations.

[sawbuck]

Although loathe to post WHT links this discussion is offering some mod_sec information that may work.

http://www.webhostingtalk.com/showthread.php?t=1255387

http://www.webhostingtalk.com/showpost. ... stcount=42

[peterelsner]

The links provided by dvk01 to the mod sec rules didn't work
The attacks started at exactly 1:00 PM central time.
Before then, all was fine and quiet. They will continue from now until about 5:30 PM central time (which is when they stopped yesterday).

I'm about to try the links that sawbuck just supplied.

[orditeck]

Thanks sawbuck for the WHT link, I found a solution with ModSec there :-) (solution by Patrick)

[Sergio]

Thanks sawbuck for the WHT link, I found a solution with ModSec there :-) (solution by Patrick)

Patrick did the trick, I confirm that this rule is working +1