The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 44 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Jul 18, 2013 1:42 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Sep 15, 2005 6:04 pm
Posts: 353
Location: Little Rock, Arkansas
I don't know about others within the J community but, we have seen large spikes in brute for password attempts on our servers this year. Just like WP had previously..

We did some digging and it seems like these guys are building tools specifically for Joomla now like [removed]

Other than strong passwords, what are some measures you guys are using? We did a mod_security rule recently that we're testing now that might need some beefing up. Not sure.. I'll share here.

What this mod_sec rule does (designed to do) is watch the joomla administrator URL path and repeated attempts are recorded and then long delays are put into place if you get past so many attempts.

Code:
<LocationMatch ^/administrator/index.php>
SecAction "initcol:ip=%{REMOTE_ADDR},pass,nolog"
SecRule RESPONSE_BODY "Username and password do not match" "phase:4,pass,setvar:
ip.failed_logins=+1,expirevar:ip.failed_logins=10"
SecRule IP:FAILED_LOGINS "@gt 3" "phase:4,allow,pause:3000"
</Location>

_________________
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com


Last edited by mandville on Fri Jul 19, 2013 12:37 am, edited 1 time in total.
Removed link short urls are forbidden on this forum, as are links to hacker sites, sites promoting hacking, hacker 'kudos'


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 1:46 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10525
Location: Leeds, UK
Nothing new really

Personally I use admintools to block repeated attempts from the same ip

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 1:53 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Sep 15, 2005 6:04 pm
Posts: 353
Location: Little Rock, Arkansas
Thanks Brian. We have a large mix of J 1.0, J1.5 and J2.5 sites (over 200, and we have tried to get users to pay for upgrades. didn't fly) so, installing a plugin in each would be a big challenge plus testing. This is why we're opting for server level detection.

Tools like mod_security give us the ability to craft rules that monitor for this behavior. You have experience with modec rules?

_________________
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 1:55 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10525
Location: Leeds, UK
Mod sec is the way to go for you then

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 2:00 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 625
It could probably be blocked through htaccess, if you find a word that they always uses, but never is used in normal Joomla administration. It is very easy to do this.


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 2:06 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Sep 15, 2005 6:04 pm
Posts: 353
Location: Little Rock, Arkansas
SLacervaara.. Thanks.. We inspected the body of current Joomla versions (1.5 - 3) and Username and password do not match is in the body so, it's something we can scan for.

_________________
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 2:31 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 625
Blockage could be made like this I use for stopping SQL-injection.

RewriteCond %{QUERY_STRING} .*jos_.*
RewriteRule .* index.php [F]


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 2:41 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Sep 15, 2005 6:04 pm
Posts: 353
Location: Little Rock, Arkansas
Slakervaara.. Thx.. use use the Atomic Linux mod sec rules for this one too.. Our logs are FULL of attempted 1000's of attempted SQL injections..

Too many automated bots doing this these days. :P

I think its good to get this thread rolling on this subject so that a good mod_security rule can be vetted for password attempts.. This will help LOTS of Joomla hosting companies :)

_________________
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 3:06 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 625
Unfortunenately my webhost does not have mod security, so I have to rely on htaccess unless someone provides with mod_security written in php that I can install myself on the site. Sometimes it is not good to have the cheapest webhost.


Top
 Profile  
 
PostPosted: Thu Jul 18, 2013 3:13 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Sep 15, 2005 6:04 pm
Posts: 353
Location: Little Rock, Arkansas
Slackervaara. you are correct.. We are not a cheap hosting company but, we do nightly and monthly backups while also continually tweaking mod_security and other measures to prevent this. We also offer free site restores and free-unhack assistance just in case you do. But, we also charge $20 monthly for all that..

Having your own servers is nice but, it does come with headaches. Since we do primarily Joomla hosting, thats the security we target first and foremost. We also have strong firewall rules for attempted FTP and email account brute force attempts.. This locks a lot of clients out of their own site but, I would rather have a support ticket for that than a compromised email or FTP account.

_________________
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com


Top
 Profile  
 
PostPosted: Fri Jul 19, 2013 11:51 am 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 625
Nice webhost you have and something many need to consider. Do you have ftp-logs, so one can see, if someone got access to the site that way? Approximately, how big percentage of your Joomla sites are hacked and what is the prime reason behind the hack?


Top
 Profile  
 
PostPosted: Fri Jul 19, 2013 12:28 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Sep 15, 2005 6:04 pm
Posts: 353
Location: Little Rock, Arkansas
We have full logging! We're a standard cPanel shop as well so users have access to their logs. So far, we haven't had to use them.. knock on wood.. We also use exploit scanner from Config server which saves our bacon a lot. No hosting company is immune to new attacks but, we work really hard to keep things tight and clean.

Gets tiring sometimes but, we work hard for our customers.

_________________
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com


Top
 Profile  
 
PostPosted: Sat Jul 27, 2013 4:21 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jul 05, 2011 9:22 am
Posts: 5
On Joomla 1.5 I do following:
- Hide the /administrator directory using the "Backend Token" plugin (http://archive.extensions.joomla.org/ex ... tion/13919) - apparently not available for newer Joomla versions and has therefore been moved to the archive. Works like a charm on Joomla 1.5. I think there are other plugins providing similar functionality as part of other stuff they also do.

- Add a 2 seconds delay on each user authentication: Add "sleep(2);" to the very beginning of the onAuthenticate() function in /plugins/authentication/joomla.php. That will:
-- Add the delay to both, front and back end
-- Reduce brute forcing ability for both, password and user name, without bothering legitimate users
-- Add a delay to both, failed as well as successful logins. The delay is necessary in both, the pass and fail branches of the password/user name check, since an attacker can check whether the response is slow and use that as an indicator - cutting down the delay time. But a delay in both branches eliminates that possibility.


Top
 Profile  
 
PostPosted: Sat Jul 27, 2013 5:12 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Mon Sep 20, 2010 7:58 am
Posts: 857
Location: Jakarta - Indonesia
jawsmith wrote:
On Joomla 1.5 I do following:
- Hide the /administrator directory using the "Backend Token" plugin (http://archive.extensions.joomla.org/ex ... tion/13919) - apparently not available for newer Joomla versions and has therefore been moved to the archive. Works like a charm on Joomla 1.5. I think there are other plugins providing similar functionality as part of other stuff they also do.


I love this and I think plugin can be replaced by a few line of php codes (though it will "hack" the joomla core a bit :))
Thanks.

_________________
Regards,
enbees, I'm here: http://koperasoft.com


Top
 Profile  
 
PostPosted: Sat Jul 27, 2013 5:26 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Mon Sep 20, 2010 7:58 am
Posts: 857
Location: Jakarta - Indonesia
brian wrote:
Nothing new really

Personally I use admintools to block repeated attempts from the same ip


Yes. That is the way I would go too. Thanks.

Well actually, I use my ftp to edit the .htaccess to block a list of these IP since it a lot easier for me.

_________________
Regards,
enbees, I'm here: http://koperasoft.com


Top
 Profile  
 
PostPosted: Sat Jul 27, 2013 8:37 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Sep 15, 2005 6:04 pm
Posts: 353
Location: Little Rock, Arkansas
The challenge guys is when you have to protect 200 plus and growing. Can't touch every account like that. Has to be a method that works for all sites.

_________________
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com


Top
 Profile  
 
PostPosted: Mon Nov 25, 2013 11:38 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jan 31, 2010 6:06 pm
Posts: 15
Maybe you can find a solution here:
http://anything-digital.com/blog/securi ... tacks.html

The big problem is that the new brute force attacks uses many different IP. So blocking on IP isn't good enough!


Top
 Profile  
 
PostPosted: Mon Nov 25, 2013 6:58 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 625
AdminExile has protection against brute force attacks and blocks the ip-address after 3 attempts for 5 minutes and the administrator can get a mail with a report of the ip-address. I have now this on my site and gets 5-mail per day.
http://extensions.joomla.org/extensions ... tion/15711


Top
 Profile  
 
PostPosted: Mon Nov 25, 2013 7:52 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Jan 31, 2010 6:06 pm
Posts: 15
Does these solutions really protect against distributed brute attacks? They only block one ip-adress, see further explanation here: http://blog.sucuri.net/2013/09/big-incr ... sites.html


Top
 Profile  
 
PostPosted: Mon Nov 25, 2013 8:01 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 625
AdminExile does take this too. Because AdminExile has a second URL-password, but even if they don't use this and just try to access the admin area the normal way they get banned from the site for 5 minutes. So its impossible for them to succeed.


Top
 Profile  
 
PostPosted: Sun Dec 01, 2013 8:53 am 
Joomla! Intern
Joomla! Intern

Joined: Thu Nov 14, 2013 2:50 pm
Posts: 58
^ 5 minutes aren't enough. I'm managing a site attacked once a day by different IPs owned by a same company since July. Attackers are alternating IPs. That's just for yesterday :
Code:
146.0.74.234 - [30/Nov/2013:00:01:10 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.208 - [30/Nov/2013:01:16:32 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.218.37 - [30/Nov/2013:02:34:48 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.25 - [30/Nov/2013:03:51:25 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.28 - [30/Nov/2013:05:13:00 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.218.37 - [30/Nov/2013:06:26:56 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:07:44:38 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.25 - [30/Nov/2013:09:00:09 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:10:20:12 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.212 - [30/Nov/2013:11:38:34 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:12:59:29 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.208 - [30/Nov/2013:14:18:29 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:15:40:37 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.206 - [30/Nov/2013:16:59:38 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.27 - [30/Nov/2013:18:21:33 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.204 - [30/Nov/2013:19:42:03 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:20:59:10 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.79.23 - [30/Nov/2013:22:22:25 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:23:37:06 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"

As you can see, AdmineExile penalty is of no use here, only strong Key + Value has very nice effect. I even never was mailed for this attack since July, I just discovered it from the logs because another successful hack.

So I think it would be essential to be able to rename /administrator/ folder and to make another as bot-trap.
Just imagine a chain like : /g1l9P76z/index.php?YuRh9A2o1q=xT62Bta9z8 to be able to login. /administrator/ folder renaming + bot-trap should be native in Joomla! directly at first installation. With Encrypt configuration to secure sites without SSL.

Also something essential is to subscribe to a service like http://www.stopforumspam.com/


Top
 Profile  
 
PostPosted: Sun Dec 01, 2013 11:23 am 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 625
Those attacks are innocent, because they are not aware that AdminExile password is needed and they are not trying to figure out that. They just tries to log in the normal way in administrator. You can also increase the 5 minutes in AdminExile to a longer time.


Top
 Profile  
 
PostPosted: Sun Dec 01, 2013 11:42 am 
Joomla! Intern
Joomla! Intern

Joined: Thu Nov 14, 2013 2:50 pm
Posts: 58
^ Of course I did ! :D
And because they are using always same IPs they are blocked with htaccess from whole domain.
But some others could be a true danger.
I also noticed regular attempts to /wp-admin/ - /blog/wp-admin/ - /wordpress/wp-admin/ - /wp/wp-admin/ from various IPs I would like to catch putting these in a bot-trap and to signal to stopforumspam and/or honeypot project, akismet, etc. because I'm certain everyone would be so quiet contributing with a global action. 8)


Top
 Profile  
 
PostPosted: Mon Dec 02, 2013 7:41 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 625
In addition if someone succeds to find out the password for admin area. You will know that because AdminExile will report that when they fails to find out the real password, because it will take many attempts to find out it. You can see that in the mail from AdminExile. Then it is just to change the password of AdminExile and they have to start again from scratch.


Top
 Profile  
 
PostPosted: Mon Dec 02, 2013 10:02 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Apr 11, 2006 7:29 pm
Posts: 965
One script I've found really successful is zbblock. It blocks thousands of attempts and agents which are clearly malicious, SQL injection attacks, malicious behaviours, SPAMMY bahviours and much much more. Since, I've installed it, I barely see any of those anymore. And yes the log does tend to bloat up very quickly from the sheer number of malicious bot activity hitting websites! It's good for any type of PHP site. The slight drawback, it adds a bit of overheard to the response time. Milliseconds really, but if you're into that sort of thing, you'll notice it.

Here's a quick write up about it: http://www.dart-creations.com/joomla/jo ... -spam.html

HTH

_________________
http://www.dart-creations.com - We make Joomla Easy: Tutorials, Tips and Tricks, Lots of Free Modules incl. Easy Paypal, Popin Window, Random Flash, Google AdSense, Slide Menu (dropdown), 2CO / Paypal payment, [youtube] module, and more!


Top
 Profile  
 
PostPosted: Sun Dec 15, 2013 4:00 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13981
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
WebJIVE wrote:
The challenge guys is when you have to protect 200 plus and growing. Can't touch every account like that. Has to be a method that works for all sites.
If you have cPanel you should have Configserver install their suite This will protect you very well. We use this on all our servers. Money well spend!

(If you have WHM you should enable BruteForceProtection)

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Sun Dec 15, 2013 6:15 pm 
Joomla! Intern
Joomla! Intern

Joined: Thu Nov 14, 2013 2:50 pm
Posts: 58
Would it be a way to portscan or pingflood IPs to be excluded by their firewall ?
Or to help to discover a real mail address where to massively complaint as sort of DDoS mail bomb ? This war began by black hats and I'm tired to stay on defensive.


Top
 Profile  
 
PostPosted: Mon Dec 16, 2013 9:02 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13981
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
epidemija wrote:
is any good solution for joomla 1.5?
Migrate to Joomla 3.x than you have enough extensions available to support you

Leo 8)

_________________
-- Joomla Professional Support Services : http://gws-desk.com --
-- Good & Cheap Joomla Sites Ready To Roll : http://gws-deals.today --
-- Joomla Specialized Hosting Solutions : www.gws-host.com --
-- Member Joomla Bug Squad --


Top
 Profile  
 
PostPosted: Wed Apr 02, 2014 2:04 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Sep 15, 2005 6:04 pm
Posts: 353
Location: Little Rock, Arkansas
After some more tweaking, looks like we have a working rule now. :)

Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
<LocationMatch /administrator/index.php>
        # Setup brute force detection.

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationMatch>

_________________
Web Design, Hosting, Flash Development, Graphics & Logo Design
"The Web Made Easy"
http://www.web-jive.com


Top
 Profile  
 
PostPosted: Fri Jun 20, 2014 6:40 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jun 20, 2014 6:37 am
Posts: 1
WebJIVE wrote:
After some more tweaking, looks like we have a working rule now. :)

Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
<LocationMatch /administrator/index.php>
        # Setup brute force detection.

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationMatch>


Hi there WebJIVE...

I'm new to ModSecurity. May I know where do I put the rule i.e. which file?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 44 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: No registered users and 20 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group