Joomla admin brute force password attempts

[WebJIVE]

I was using Atomic Linux rules and I added it to one of their rules. Now I run the Atomic Linux kernel package and no longer have to fool with this

[mandville]

Please explain fully your experience. What you did and how it relates to joomla 2.5

[WebJIVE]

Here's the experience. We run cPanel servers and the firewalls that cPanel has by default is terrible so, we installed mod_security and CSF. Once you have a few accounts get hacked with CSF, your server goes into some kind of black hat server with the kick me sign stuck on you back. Every script kiddie in the world, and even seasoned hackers start banging on your door.

CSF is a good general purpose firewall but, your always dealing with IP blocks form your own customers due to false positive mod_security triggers. CSF also can't handle low level DOS attacks.

So, I got fed up with playing cat and mouse with hackers and finally bit the bullet on the full Atomic Linux suite. Nights are no longer sleepless and I don't get up every morning to check for phishing links.

Also, we used a script to reset every accounts cPanel password with a strong password after installing ASL. What we soon found out is that even with CSF, and exploit scanner installed, they had uploaded some scripts that somehow pulled every accounts info and decrypted all cpanel account passwords.

Resetting all the passwords after installing ASL has the crickets chirping again.. ahhh.. And no more false IP blocks with CSF.

[leolam]

CSF is a good general purpose firewall but, your always dealing with IP blocks form your own customers due to false positive mod_security triggers. CSF also can't handle low level DOS attacks.

You are very ill informed I am afraid. You do not have 'false' IP blocks in CFS. Every block has good reasons. You just did use the IPTable settings wrong!

Also it is incorrect that "low-level" DOS attacks are not taken care of. They are being taken care of by CFS. The problem is that you have not set up your server properly since you get whacked several times as you state. That is not caused by CFS but by wrong and incorrect tweaking the security of your server and the CFS and mod_security rules. Simple example:

In CFS configuration you should have changed CT_LIMIT, change this to CT_LIMIT=30, here 30 is the max number of connections from an IP to your server.
3. Search for option called CT_PORTS. This option is used to specify the port for which you want prevent DOS attack. Change CT_PORTS = "" to CT_PORTS = "80" ( for Apache )
If your server gets 30 established connections from a IP to Apache, it is considered as DOS attack and that IP will be blocked.

This is just one example of the many options you have in CFS and in cPanel (BruteForce protection activated for instance)

We use the entire CFS-suite on each and every of our servers and we work together with the specialists of CFS who we hire to install the suite and configure it properly (!) So yes we do use the pro-versions of all stuff and I do not recognize any of your CFS remarks!

Note as final: ASL is being phased out by the majority of the large players in the market and is replaced by guess what ...... right CFS (example Liquidweb does this on all dedi servers)

Leo

[WebJIVE]

WOW... my first hater.. sniff

Btw Leo, mod_security CAN and WILL cause false positives from time to time and get client IP's blocked. One prime example is we have a site with 40k users and 77k pages of content and the content editors would routinely trigger rules when editing. Of course these were ASL Modsec rules but, it does happen.

[EDIT] Also Leo, we STILL run CSF on many of our servers but, one product does not fit all. Sometimes its necessary to use a different solution for different kinds of problems.

[leolam]

WOW... my first hater.. sniff

Don't place a sticker on me when I dispute your findings. That is hilarious and is of very bad taste!

Leo

[WebJIVE]

Leo, you using !! (yelling) to make a point and tell me I'm flat out wrong is just as poor taste. All I did was pass along an experience and you soapboxed me telling me I'm 100% wrong. How is that any different than my last reply?

[leolam]

Yes Sir it is very different.

An exclamation mark is not yelling as per web etiquette. You are mixing up Capitals (caps) which is considered shouting/yelling. I did not use caps...I used exclamation marks to emphasize my point. See for this an interesting article in the New York Times http://www.nytimes.com/2011/07/03/fashi ... udies.html

I am indeed flat out telling you that your experience is caused by wrong settings on your server and/or CFS/mod_security rules etc and I gave a reply to your (!) statement that CFS does not protect against DOS-attacks with one of many possible settings examples . Since when is that bad taste?

Anyhow as Mandville asked it has nothing to do with Joomla 2.5 but it is general important to protect a server properly on every possible level

No need to discuss this here since it is not Joomla what is here in discussion

Leo

[WebJIVE]

Agree to disagree.. Let the tech continue and bickering stop

Getting back to the thread (we both agree to that), I was the one who started this thread due to all the Joomla admin brute force attempts with 10,000's daily, per site (we have 100s on that box), and they were working, not to mention, blowing out bandwidth numbers.

I was working hard stop that behavior by creating a mod_sec rule based on some WP mod_sec rules I found on other sites. Had limited success with that approach along with filling up the temp IP ban table in CSF (up to 1000 ips at one point). So, a little research for this type of vector attack which is where Atomic Linux came into play with realtime monitoring of Joomla brute force attempts, and low level DOS attacks. The rest of our servers (10+) are still running CSF happily.

It solved our issues for one server. The other servers we're still running CSF

[Bernard T]

Hey guys, no need for mockery or arguing here!

2 cents on this topic - our servers are for years protected with Fail2Ban http://www.fail2ban.org/
It is easy to write a rule to scan Joomla logs, and there are already 2 plugins existing (not tested by us, we wrote our own rule) to scan for failed logins:
http://extensions.joomla.org/extensions ... tion/25592
http://extensions.joomla.org/extensions ... tion/24666

And this one should help you start: http://baxeico.wordpress.com/2014/03/31 ... -file2ban/

[GJSchaller]

I'm seeing the same sort of behavior on a single Joomla site that I manage. I have a VPS with multiple Joomla sites, but one - and only one - of them is being targeted by a DOS, it seems.

I have Coalatraffic installed to track IPs, and what I am seeing is this:

• The majority of the referrers are listed as "(website)/administrator/-"
• The IPs of the visitors are world-wide
• A large portion of the IPs and Agents hitting this URL are listed as GoogleBot, Yahoo Slurp, and BingBot. Given I have an .htaccess and a robots.txt that forbids crawling of /administrator/, I find this suspect.

I've blocked the majority of offending IPs using cPanel's IP Denial tool, but I am still seeing hits from IPs I cannot block without blocking known customers (I am assuming they are zombies on the same ISP as my customers). I am seeing an interesting mix of agents, from modern browsers to older ones to mobile devices, all going to the same URL mentioned above.

I haven't been compromised (yet) - no signs of spam, phishing, or malware. Just a constant barrage of hits on my server that is killing performance.

Beyond .htaccess and IP banning, what other ways can I help mitigate load without alienating my customers? Any insight as to why it seems search engines have been hammering my Admin login for 2 weeks straight?

[Per Yngve Berg]

Upgrade to J3.3 and use twofactor authentication.

[GJSchaller]

I have 3.3 waiting in the wings, I just need one critical component to be ready, and I can make the switch.

I've also installed Brute Force Stop, which is showing no failed attempts to log in - there's just 200+ users on the site, but none of them are trying to log in. If this was for a day or two, it would make sense as being a search engine crawling the site, but this has been ongoing for almost 2 weeks now.

[Bernard T]

@GJSchaller - well, it sounds clearly as botnet kicking to me too. I am sure most of the IP's listed as bots aren't actually bots, you could lookup the IP owners in the IP Whois.

Beyond IP banning, to offload this site you could use some good CDN with firewall layer, for example CloudFlare Free, which will offload your server, block some botnets and speedup your web.