Joomla admin brute force password attempts
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
- WebJIVE
- Joomla! Explorer
- Posts: 356
- Joined: Thu Sep 15, 2005 6:04 pm
- Location: Little Rock, Arkansas
- Contact:
Re: Joomla admin brute force password attempts
I was using Atomic Linux rules and I added it to one of their rules. Now I run the Atomic Linux kernel package and no longer have to fool with this
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com
http://www.web-jive.com
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla admin brute force password attempts
Please explain fully your experience. What you did and how it relates to joomla 2.5
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- WebJIVE
- Joomla! Explorer
- Posts: 356
- Joined: Thu Sep 15, 2005 6:04 pm
- Location: Little Rock, Arkansas
- Contact:
Re: Joomla admin brute force password attempts
Here's the experience. We run cPanel servers and the firewalls that cPanel has by default is terrible so, we installed mod_security and CSF. Once you have a few accounts get hacked with CSF, your server goes into some kind of black hat server with the kick me sign stuck on you back. Every script kiddie in the world, and even seasoned hackers start banging on your door.
CSF is a good general purpose firewall but, your always dealing with IP blocks form your own customers due to false positive mod_security triggers. CSF also can't handle low level DOS attacks.
So, I got fed up with playing cat and mouse with hackers and finally bit the bullet on the full Atomic Linux suite. Nights are no longer sleepless and I don't get up every morning to check for phishing links.
Also, we used a script to reset every accounts cPanel password with a strong password after installing ASL. What we soon found out is that even with CSF, and exploit scanner installed, they had uploaded some scripts that somehow pulled every accounts info and decrypted all cpanel account passwords.
Resetting all the passwords after installing ASL has the crickets chirping again.. ahhh.. And no more false IP blocks with CSF.
CSF is a good general purpose firewall but, your always dealing with IP blocks form your own customers due to false positive mod_security triggers. CSF also can't handle low level DOS attacks.
So, I got fed up with playing cat and mouse with hackers and finally bit the bullet on the full Atomic Linux suite. Nights are no longer sleepless and I don't get up every morning to check for phishing links.
Also, we used a script to reset every accounts cPanel password with a strong password after installing ASL. What we soon found out is that even with CSF, and exploit scanner installed, they had uploaded some scripts that somehow pulled every accounts info and decrypted all cpanel account passwords.
Resetting all the passwords after installing ASL has the crickets chirping again.. ahhh.. And no more false IP blocks with CSF.
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com
http://www.web-jive.com
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Joomla admin brute force password attempts
You are very ill informed I am afraid. You do not have 'false' IP blocks in CFS. Every block has good reasons. You just did use the IPTable settings wrong!WebJIVE wrote: CSF is a good general purpose firewall but, your always dealing with IP blocks form your own customers due to false positive mod_security triggers. CSF also can't handle low level DOS attacks.
Also it is incorrect that "low-level" DOS attacks are not taken care of. They are being taken care of by CFS. The problem is that you have not set up your server properly since you get whacked several times as you state. That is not caused by CFS but by wrong and incorrect tweaking the security of your server and the CFS and mod_security rules. Simple example:
In CFS configuration you should have changed CT_LIMIT, change this to CT_LIMIT=30, here 30 is the max number of connections from an IP to your server.
3. Search for option called CT_PORTS. This option is used to specify the port for which you want prevent DOS attack. Change CT_PORTS = "" to CT_PORTS = "80" ( for Apache )
If your server gets 30 established connections from a IP to Apache, it is considered as DOS attack and that IP will be blocked.
This is just one example of the many options you have in CFS and in cPanel (BruteForce protection activated for instance)
We use the entire CFS-suite on each and every of our servers and we work together with the specialists of CFS who we hire to install the suite and configure it properly (!) So yes we do use the pro-versions of all stuff and I do not recognize any of your CFS remarks!
Note as final: ASL is being phased out by the majority of the large players in the market and is replaced by guess what ...... right CFS (example Liquidweb does this on all dedi servers)
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- WebJIVE
- Joomla! Explorer
- Posts: 356
- Joined: Thu Sep 15, 2005 6:04 pm
- Location: Little Rock, Arkansas
- Contact:
Re: Joomla admin brute force password attempts
WOW... my first hater.. sniff
Btw Leo, mod_security CAN and WILL cause false positives from time to time and get client IP's blocked. One prime example is we have a site with 40k users and 77k pages of content and the content editors would routinely trigger rules when editing. Of course these were ASL Modsec rules but, it does happen.
[EDIT] Also Leo, we STILL run CSF on many of our servers but, one product does not fit all. Sometimes its necessary to use a different solution for different kinds of problems.
Btw Leo, mod_security CAN and WILL cause false positives from time to time and get client IP's blocked. One prime example is we have a site with 40k users and 77k pages of content and the content editors would routinely trigger rules when editing. Of course these were ASL Modsec rules but, it does happen.
[EDIT] Also Leo, we STILL run CSF on many of our servers but, one product does not fit all. Sometimes its necessary to use a different solution for different kinds of problems.
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com
http://www.web-jive.com
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Joomla admin brute force password attempts
Don't place a sticker on me when I dispute your findings. That is hilarious and is of very bad taste!WebJIVE wrote:WOW... my first hater.. sniff
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- WebJIVE
- Joomla! Explorer
- Posts: 356
- Joined: Thu Sep 15, 2005 6:04 pm
- Location: Little Rock, Arkansas
- Contact:
Re: Joomla admin brute force password attempts
Leo, you using !! (yelling) to make a point and tell me I'm flat out wrong is just as poor taste. All I did was pass along an experience and you soapboxed me telling me I'm 100% wrong. How is that any different than my last reply?
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com
http://www.web-jive.com
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Joomla admin brute force password attempts
Yes Sir it is very different.
An exclamation mark is not yelling as per web etiquette. You are mixing up Capitals (caps) which is considered shouting/yelling. I did not use caps...I used exclamation marks to emphasize my point. See for this an interesting article in the New York Times http://www.nytimes.com/2011/07/03/fashi ... udies.html
I am indeed flat out telling you that your experience is caused by wrong settings on your server and/or CFS/mod_security rules etc and I gave a reply to your (!) statement that CFS does not protect against DOS-attacks with one of many possible settings examples . Since when is that bad taste?
Anyhow as Mandville asked it has nothing to do with Joomla 2.5 but it is general important to protect a server properly on every possible level
No need to discuss this here since it is not Joomla what is here in discussion
Leo
An exclamation mark is not yelling as per web etiquette. You are mixing up Capitals (caps) which is considered shouting/yelling. I did not use caps...I used exclamation marks to emphasize my point. See for this an interesting article in the New York Times http://www.nytimes.com/2011/07/03/fashi ... udies.html
I am indeed flat out telling you that your experience is caused by wrong settings on your server and/or CFS/mod_security rules etc and I gave a reply to your (!) statement that CFS does not protect against DOS-attacks with one of many possible settings examples . Since when is that bad taste?
Anyhow as Mandville asked it has nothing to do with Joomla 2.5 but it is general important to protect a server properly on every possible level
No need to discuss this here since it is not Joomla what is here in discussion
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- WebJIVE
- Joomla! Explorer
- Posts: 356
- Joined: Thu Sep 15, 2005 6:04 pm
- Location: Little Rock, Arkansas
- Contact:
Re: Joomla admin brute force password attempts
Agree to disagree.. Let the tech continue and bickering stop
Getting back to the thread (we both agree to that), I was the one who started this thread due to all the Joomla admin brute force attempts with 10,000's daily, per site (we have 100s on that box), and they were working, not to mention, blowing out bandwidth numbers.
I was working hard stop that behavior by creating a mod_sec rule based on some WP mod_sec rules I found on other sites. Had limited success with that approach along with filling up the temp IP ban table in CSF (up to 1000 ips at one point). So, a little research for this type of vector attack which is where Atomic Linux came into play with realtime monitoring of Joomla brute force attempts, and low level DOS attacks. The rest of our servers (10+) are still running CSF happily.
It solved our issues for one server. The other servers we're still running CSF
Getting back to the thread (we both agree to that), I was the one who started this thread due to all the Joomla admin brute force attempts with 10,000's daily, per site (we have 100s on that box), and they were working, not to mention, blowing out bandwidth numbers.
I was working hard stop that behavior by creating a mod_sec rule based on some WP mod_sec rules I found on other sites. Had limited success with that approach along with filling up the temp IP ban table in CSF (up to 1000 ips at one point). So, a little research for this type of vector attack which is where Atomic Linux came into play with realtime monitoring of Joomla brute force attempts, and low level DOS attacks. The rest of our servers (10+) are still running CSF happily.
It solved our issues for one server. The other servers we're still running CSF
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com
http://www.web-jive.com
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Joomla admin brute force password attempts
Hey guys, no need for mockery or arguing here!
2 cents on this topic - our servers are for years protected with Fail2Ban http://www.fail2ban.org/
It is easy to write a rule to scan Joomla logs, and there are already 2 plugins existing (not tested by us, we wrote our own rule) to scan for failed logins:
http://extensions.joomla.org/extensions ... tion/25592
http://extensions.joomla.org/extensions ... tion/24666
And this one should help you start: http://baxeico.wordpress.com/2014/03/31 ... -file2ban/
2 cents on this topic - our servers are for years protected with Fail2Ban http://www.fail2ban.org/
It is easy to write a rule to scan Joomla logs, and there are already 2 plugins existing (not tested by us, we wrote our own rule) to scan for failed logins:
http://extensions.joomla.org/extensions ... tion/25592
http://extensions.joomla.org/extensions ... tion/24666
And this one should help you start: http://baxeico.wordpress.com/2014/03/31 ... -file2ban/
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
- GJSchaller
- Joomla! Enthusiast
- Posts: 162
- Joined: Wed Aug 24, 2005 2:57 pm
- Location: White Plains, NY
- Contact:
Re: Joomla admin brute force password attempts
I'm seeing the same sort of behavior on a single Joomla site that I manage. I have a VPS with multiple Joomla sites, but one - and only one - of them is being targeted by a DOS, it seems.
I have Coalatraffic installed to track IPs, and what I am seeing is this:
I haven't been compromised (yet) - no signs of spam, phishing, or malware. Just a constant barrage of hits on my server that is killing performance.
Beyond .htaccess and IP banning, what other ways can I help mitigate load without alienating my customers? Any insight as to why it seems search engines have been hammering my Admin login for 2 weeks straight?
I have Coalatraffic installed to track IPs, and what I am seeing is this:
- The majority of the referrers are listed as "(website)/administrator/-"
- The IPs of the visitors are world-wide
- A large portion of the IPs and Agents hitting this URL are listed as GoogleBot, Yahoo Slurp, and BingBot. Given I have an .htaccess and a robots.txt that forbids crawling of /administrator/, I find this suspect.
I haven't been compromised (yet) - no signs of spam, phishing, or malware. Just a constant barrage of hits on my server that is killing performance.
Beyond .htaccess and IP banning, what other ways can I help mitigate load without alienating my customers? Any insight as to why it seems search engines have been hammering my Admin login for 2 weeks straight?
- Per Yngve Berg
- Joomla! Master
- Posts: 30923
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Joomla admin brute force password attempts
Upgrade to J3.3 and use twofactor authentication.
- GJSchaller
- Joomla! Enthusiast
- Posts: 162
- Joined: Wed Aug 24, 2005 2:57 pm
- Location: White Plains, NY
- Contact:
Re: Joomla admin brute force password attempts
I have 3.3 waiting in the wings, I just need one critical component to be ready, and I can make the switch.
I've also installed Brute Force Stop, which is showing no failed attempts to log in - there's just 200+ users on the site, but none of them are trying to log in. If this was for a day or two, it would make sense as being a search engine crawling the site, but this has been ongoing for almost 2 weeks now.
I've also installed Brute Force Stop, which is showing no failed attempts to log in - there's just 200+ users on the site, but none of them are trying to log in. If this was for a day or two, it would make sense as being a search engine crawling the site, but this has been ongoing for almost 2 weeks now.
- Bernard T
- Joomla! Guru
- Posts: 782
- Joined: Thu Jun 29, 2006 11:44 am
- Location: Hrvatska
- Contact:
Re: Joomla admin brute force password attempts
@GJSchaller - well, it sounds clearly as botnet kicking to me too. I am sure most of the IP's listed as bots aren't actually bots, you could lookup the IP owners in the IP Whois.
Beyond IP banning, to offload this site you could use some good CDN with firewall layer, for example CloudFlare Free, which will offload your server, block some botnets and speedup your web.
Beyond IP banning, to offload this site you could use some good CDN with firewall layer, for example CloudFlare Free, which will offload your server, block some botnets and speedup your web.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak