Redirect to honeypot

biggatings · Post by **biggatings** » Thu Dec 15, 2011 2:11 pm

Hi All,
I have recently been hit with a large number of attempts to the back end of my site. I have :
RS Firewall and JSecure installed. So every time someone makes a failed attempt I get an email. In the past day and a half, I have gotten well over 200 emails.

Is there a way that I can prevent this or at least limit this from happening? I have read that I cannot change the name or location of the admin folder because components rely on it and it will probably break my site. What I would love to do, is only accept for a few ip addresses and everything else gets redirected to a honeypot or something that will keep these bots off my site.

Any suggestions?

Z9iT · Post by **Z9iT** » Mon Dec 19, 2011 7:14 pm

I am ignoring that you are using RS Firewall and JSecure.... and suggesting you with what i think should be more powerful than this.
1) Password protect your admin directory (with .htaccess files, if supported by your server)

2) Provide a leech protection to the above said. Make it even more conservative by allowing only one instance of successful login. if some1 will try to login the second instance, the acc should get disabled.

3) Set the session lifetime as low as possible.. I think 10 mins. is more than enough.

4) Add a permanent 301 redirect to your admin directory, and disable it whenever you wanna login to backend.

5) Edit the login.php file in the admin directory so that only the login username and password fields are left and nothing else on that page. place them far apart so that no-one can even make a wild guess that its a login page.
Being more geek-freek, you can add google analytics code to this.

6) If you have a static IP. thats wonderful, you can allow the access to admin directory with that particular IP only (google this, Hope .htaccess files will do that for you)

7) have a proper file permissina 755/644 and follow the security checklist....

I am over with the points....

even doing two of them will make your friends say that you are a freak (as i faced), but you can try all of them

leolam · Post by **leolam** » Thu Dec 22, 2011 5:32 am

Z9iT wrote:I am ignoring that you are using RS Firewall and JSecure.... and suggesting you with what i think should be more powerful than this.

Glad you acknowledge it is just an opinion of yourself.

2) Provide a leech protection to the above said. Make it even more conservative by allowing only one instance of successful login. if some1 will try to login the second instance, the acc should get disabled.

Interesting suggestion especially when one has multiple admins

3) Set the session lifetime as low as possible.. I think 10 mins. is more than enough.

That is in many cases not enough at sites where a lot of text is being used and people creating online content. You will be kicked out before saving (most forget to save/apply before finishing) Default Joomla settings are ok

4) Add a permanent 301 redirect to your admin directory, and disable it whenever you wanna login to backend.

again interesting idea when you have multiple admins...Give all access to .htaccess? Secure?

5) Edit the login.php file in the admin directory so that only the login username and password fields are left and nothing else on that page. place them far apart so that no-one can even make a wild guess that its a login page.

Are bots that stupid?

6) If you have a static IP. thats wonderful, you can allow the access to admin directory with that particular IP only (google this, Hope .htaccess files will do that for you)

These days IP's are most often dynamic

7) have a proper file permissina 755/644 and follow the security checklist....

Well thats a real good advise!

Leo

MikeHell · Post by **MikeHell** » Thu Dec 22, 2011 7:22 pm

Hi biggatings.

Instead of criticising other posters in this thread and ignoring your question altogether, I will offer you a few suggestions.

What I would love to do, is only accept for a few ip addresses and everything else gets redirected to a honeypot or something that will keep these bots off my site.

If you are using the latest version of jsecure you can already whitelist IP addresses and you can also set a custom url redirect for failed login attempts.

The Redirect Failed Login extension -> http://extensions.joomla.org/extensions ... ccess/6495 , also allows you to redirect failed logins to a url of your choosing, plus specify a time delay to slow down brute force login attempts.

This little plugin allows you to manage failed login attempts.

The latest version can deter hackers by adding a programmable time delay after a failed login attempt. Upon a failed login attempt, you can redirect to a page in your Joomla site, redirect to a completely different site, or not redirect at all (default).

Optionally, you can have it display a custom message such as "Login Failed - please try again".

Other than that, if you are the only administrator, then I think placing a .htaccess file in the admin directory and whitelisting your IP address or IP range there is a good solution too.

If you also need a simple honeypot script to log the details of anyone who has been redirected from the failed admin login attempts, I can make something for you (for free) and post it here.

Z9iT · Post by **Z9iT** » Sun Dec 25, 2011 7:15 pm

@leolam ,
I appropriate that you acknowledged my post,

you asked,

Are bots that stupid?

I agree its being silly to modify login.php, however it works well when you have a bunch of unethical friends. I remember one of my friend sneeked into my PC just 2 find my admin username n paswrd saved somewhere, however my kungFu was stronger than his.... me managed to reach the admin page, but banged his head for 3 Hrz to find the login box....lolz...hahahaha

The Joomla! Forum™

Redirect to honeypot

Redirect to honeypot

Re: Redirect to honeypot

Re: Redirect to honeypot

Re: Redirect to honeypot

Re: Redirect to honeypot