^ 5 minutes aren't enough. I'm managing a site attacked once a day by different IPs owned by a same company
since July. Attackers are alternating IPs. That's just for yesterday :
Code: Select all
146.0.74.234 - [30/Nov/2013:00:01:10 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.208 - [30/Nov/2013:01:16:32 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.218.37 - [30/Nov/2013:02:34:48 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.25 - [30/Nov/2013:03:51:25 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.28 - [30/Nov/2013:05:13:00 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.218.37 - [30/Nov/2013:06:26:56 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:07:44:38 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.25 - [30/Nov/2013:09:00:09 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:10:20:12 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.212 - [30/Nov/2013:11:38:34 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:12:59:29 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.208 - [30/Nov/2013:14:18:29 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:15:40:37 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.206 - [30/Nov/2013:16:59:38 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.27 - [30/Nov/2013:18:21:33 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.204 - [30/Nov/2013:19:42:03 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:20:59:10 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.79.23 - [30/Nov/2013:22:22:25 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:23:37:06 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
As you can see, AdmineExile penalty is of no use here, only strong Key + Value has
very nice effect. I even never was mailed for this attack since July, I just discovered it from the logs because another successful hack.
So I think it would be essential to be able to rename /administrator/ folder and to make another as bot-trap.
Just imagine a chain like : /g1l9P76z/index.php?YuRh9A2o1q=xT62Bta9z8 to be able to login. /administrator/ folder renaming + bot-trap should be native in Joomla! directly at first installation. With
Encrypt configuration to secure sites without SSL.
Also something essential is to subscribe to a service like
http://www.stopforumspam.com/