WOW! I'm definitely a novice at this, but this is quite surprising ... In my access log, I have several IP's that are requesting the same login page thousands of times. See examples below. Also, none of the requests have a referer or browser in the log record. I'm thinking that the lack of browser indicates that a program is submitting the request, not a person at a browser. (Let alone the fact that there are 186k requests in 2 hours would indicate that as well ....) So now my question is expanding ... Now I think my site is getting a significant amount of hacking attempts. But as I said I'm a novice ... Does this look like I'm being hacked? Should I add these IP addresses to iptables? I have installed "fail2ban", but I just left it at the default configuration. Do I need to start working with that? Thanks, Josh Examples of login requests .... 37.59.11.6 - - [08/Apr/2015:20:29:03 +0000] "POST /wp-login.php HTTP/1.0" 200 11141 "-" "-" time span - 21 hrs count - 76700 173.246.41.63 - - [28/Apr/2015:13:36:38 +0000] "POST /wp-login.php HTTP/1.0" 200 11072 "-" "-" time span - 7 hrs count - 17955 74.204.189.179 - - [28/Apr/2015:21:06:30 +0000] "POST /wp-login.php HTTP/1.0" 200 11178 "-" "-" time span - 20 hours count - 125685 5.196.241.194 - - [01/May/2015:22:37:25 +0000] "POST /wp-login.php HTTP/1.0" 200 11324 "-" "-" time span - 2 hrs count - 186157 84.19.174.28 - - [01/May/2015:22:12:49 +0000] "POST /wp-login.php HTTP/1.0" 200 10995 "-" "-" time span - 8 hrs count - 107285 -----Original Message----- From: Eric Covener [mailto:covener@xxxxxxxxx] Sent: Tuesday, May 05, 2015 5:15 To: users@xxxxxxxxxxxxxxxx Subject: Re: Deny <ip address> didn't work On Mon, May 4, 2015 at 7:33 PM, Joshua Smith <joshuasmith@xxxxxxxxx> wrote: > In both cases, when i monitored my site with the 'server-status' > module, the ip address was still there, with sometimes more than 30 > requests, and all for the same page, which was ..../login.php. And it > continued to be there for the next 30 minutes until it just dropped > off, but i was doing nothing to stop it at that point. Both of your rules just change the response for this IP, they don't block it from sending requests. What does the access log say? -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|