Joomla! Forum - community, help and support

Posted: **Thu Jul 18, 2013 1:42 pm**

I don't know about others within the J community but, we have seen large spikes in brute for password attempts on our servers this year. Just like WP had previously..

We did some digging and it seems like these guys are building tools specifically for Joomla now like [removed]

Other than strong passwords, what are some measures you guys are using? We did a mod_security rule recently that we're testing now that might need some beefing up. Not sure.. I'll share here.

What this mod_sec rule does (designed to do) is watch the joomla administrator URL path and repeated attempts are recorded and then long delays are put into place if you get past so many attempts.

Code: Select all

<LocationMatch ^/administrator/index.php>
SecAction "initcol:ip=%{REMOTE_ADDR},pass,nolog"
SecRule RESPONSE_BODY "Username and password do not match" "phase:4,pass,setvar:
ip.failed_logins=+1,expirevar:ip.failed_logins=10"
SecRule IP:FAILED_LOGINS "@gt 3" "phase:4,allow,pause:3000"
</Location>

Posted: **Thu Jul 18, 2013 1:46 pm**

Nothing new really

Personally I use admintools to block repeated attempts from the same ip

Posted: **Thu Jul 18, 2013 1:53 pm**

Thanks Brian. We have a large mix of J 1.0, J1.5 and J2.5 sites (over 200, and we have tried to get users to pay for upgrades. didn't fly) so, installing a plugin in each would be a big challenge plus testing. This is why we're opting for server level detection.

Tools like mod_security give us the ability to craft rules that monitor for this behavior. You have experience with modec rules?

Posted: **Thu Jul 18, 2013 1:55 pm**

Mod sec is the way to go for you then

Posted: **Thu Jul 18, 2013 2:00 pm**

It could probably be blocked through htaccess, if you find a word that they always uses, but never is used in normal Joomla administration. It is very easy to do this.

Posted: **Thu Jul 18, 2013 2:06 pm**

SLacervaara.. Thanks.. We inspected the body of current Joomla versions (1.5 - 3) and Username and password do not match is in the body so, it's something we can scan for.

Posted: **Thu Jul 18, 2013 2:31 pm**

Blockage could be made like this I use for stopping SQL-injection.

RewriteCond %{QUERY_STRING} .*jos_.*
RewriteRule .* index.php [F]

Posted: **Thu Jul 18, 2013 2:41 pm**

Slakervaara.. Thx.. use use the Atomic Linux mod sec rules for this one too.. Our logs are FULL of attempted 1000's of attempted SQL injections..

Too many automated bots doing this these days. :P

I think its good to get this thread rolling on this subject so that a good mod_security rule can be vetted for password attempts.. This will help LOTS of Joomla hosting companies

Posted: **Thu Jul 18, 2013 3:06 pm**

Unfortunenately my webhost does not have mod security, so I have to rely on htaccess unless someone provides with mod_security written in php that I can install myself on the site. Sometimes it is not good to have the cheapest webhost.

Posted: **Thu Jul 18, 2013 3:13 pm**

Slackervaara. you are correct.. We are not a cheap hosting company but, we do nightly and monthly backups while also continually tweaking mod_security and other measures to prevent this. We also offer free site restores and free-unhack assistance just in case you do. But, we also charge $20 monthly for all that..

Having your own servers is nice but, it does come with headaches. Since we do primarily Joomla hosting, thats the security we target first and foremost. We also have strong firewall rules for attempted FTP and email account brute force attempts.. This locks a lot of clients out of their own site but, I would rather have a support ticket for that than a compromised email or FTP account.

Posted: **Fri Jul 19, 2013 11:51 am**

Nice webhost you have and something many need to consider. Do you have ftp-logs, so one can see, if someone got access to the site that way? Approximately, how big percentage of your Joomla sites are hacked and what is the prime reason behind the hack?

Posted: **Fri Jul 19, 2013 12:28 pm**

We have full logging! We're a standard cPanel shop as well so users have access to their logs. So far, we haven't had to use them.. knock on wood.. We also use exploit scanner from Config server which saves our bacon a lot. No hosting company is immune to new attacks but, we work really hard to keep things tight and clean.

Gets tiring sometimes but, we work hard for our customers.

Posted: **Sat Jul 27, 2013 4:21 am**

On Joomla 1.5 I do following:
- Hide the /administrator directory using the "Backend Token" plugin (http://archive.extensions.joomla.org/ex ... tion/13919) - apparently not available for newer Joomla versions and has therefore been moved to the archive. Works like a charm on Joomla 1.5. I think there are other plugins providing similar functionality as part of other stuff they also do.

- Add a 2 seconds delay on each user authentication: Add "sleep(2);" to the very beginning of the onAuthenticate() function in /plugins/authentication/joomla.php. That will:
-- Add the delay to both, front and back end
-- Reduce brute forcing ability for both, password and user name, without bothering legitimate users
-- Add a delay to both, failed as well as successful logins. The delay is necessary in both, the pass and fail branches of the password/user name check, since an attacker can check whether the response is slow and use that as an indicator - cutting down the delay time. But a delay in both branches eliminates that possibility.

Posted: **Sat Jul 27, 2013 5:12 pm**

jawsmith wrote:On Joomla 1.5 I do following:
- Hide the /administrator directory using the "Backend Token" plugin (http://archive.extensions.joomla.org/ex ... tion/13919) - apparently not available for newer Joomla versions and has therefore been moved to the archive. Works like a charm on Joomla 1.5. I think there are other plugins providing similar functionality as part of other stuff they also do.

I love this and I think plugin can be replaced by a few line of php codes (though it will "hack" the joomla core a bit

)
Thanks.

Posted: **Sat Jul 27, 2013 5:26 pm**

brian wrote:Nothing new really

Personally I use admintools to block repeated attempts from the same ip

Yes. That is the way I would go too. Thanks.

Well actually, I use my ftp to edit the .htaccess to block a list of these IP since it a lot easier for me.

Posted: **Sat Jul 27, 2013 8:37 pm**

The challenge guys is when you have to protect 200 plus and growing. Can't touch every account like that. Has to be a method that works for all sites.

Posted: **Mon Nov 25, 2013 11:38 am**

Maybe you can find a solution here:
http://anything-digital.com/blog/securi ... tacks.html

The big problem is that the new brute force attacks uses many different IP. So blocking on IP isn't good enough!

Posted: **Mon Nov 25, 2013 6:58 pm**

AdminExile has protection against brute force attacks and blocks the ip-address after 3 attempts for 5 minutes and the administrator can get a mail with a report of the ip-address. I have now this on my site and gets 5-mail per day.
http://extensions.joomla.org/extensions ... tion/15711

Posted: **Mon Nov 25, 2013 7:52 pm**

Does these solutions really protect against distributed brute attacks? They only block one ip-adress, see further explanation here: http://blog.sucuri.net/2013/09/big-incr ... sites.html

Posted: **Mon Nov 25, 2013 8:01 pm**

AdminExile does take this too. Because AdminExile has a second URL-password, but even if they don't use this and just try to access the admin area the normal way they get banned from the site for 5 minutes. So its impossible for them to succeed.

Posted: **Sun Dec 01, 2013 8:53 am**

^ 5 minutes aren't enough. I'm managing a site attacked once a day by different IPs owned by a same company since July. Attackers are alternating IPs. That's just for yesterday :

Code: Select all

146.0.74.234 - [30/Nov/2013:00:01:10 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.208 - [30/Nov/2013:01:16:32 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.218.37 - [30/Nov/2013:02:34:48 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.25 - [30/Nov/2013:03:51:25 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.28 - [30/Nov/2013:05:13:00 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.218.37 - [30/Nov/2013:06:26:56 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:07:44:38 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.25 - [30/Nov/2013:09:00:09 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:10:20:12 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.212 - [30/Nov/2013:11:38:34 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:12:59:29 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.208 - [30/Nov/2013:14:18:29 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:15:40:37 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.206 - [30/Nov/2013:16:59:38 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.27 - [30/Nov/2013:18:21:33 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.204 - [30/Nov/2013:19:42:03 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:20:59:10 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.79.23 - [30/Nov/2013:22:22:25 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:23:37:06 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"

As you can see, AdmineExile penalty is of no use here, only strong Key + Value has very nice effect. I even never was mailed for this attack since July, I just discovered it from the logs because another successful hack.

So I think it would be essential to be able to rename /administrator/ folder and to make another as bot-trap.
Just imagine a chain like : /g1l9P76z/index.php?YuRh9A2o1q=xT62Bta9z8 to be able to login. /administrator/ folder renaming + bot-trap should be native in Joomla! directly at first installation. With Encrypt configuration to secure sites without SSL.

Also something essential is to subscribe to a service like http://www.stopforumspam.com/

Posted: **Sun Dec 01, 2013 11:23 am**

Those attacks are innocent, because they are not aware that AdminExile password is needed and they are not trying to figure out that. They just tries to log in the normal way in administrator. You can also increase the 5 minutes in AdminExile to a longer time.

Posted: **Sun Dec 01, 2013 11:42 am**

^ Of course I did !

And because they are using always same IPs they are blocked with htaccess from whole domain.
But some others could be a true danger.
I also noticed regular attempts to /wp-admin/ - /blog/wp-admin/ - /wordpress/wp-admin/ - /wp/wp-admin/ from various IPs I would like to catch putting these in a bot-trap and to signal to stopforumspam and/or honeypot project, akismet, etc. because I'm certain everyone would be so quiet contributing with a global action.

Posted: **Mon Dec 02, 2013 7:41 pm**

In addition if someone succeds to find out the password for admin area. You will know that because AdminExile will report that when they fails to find out the real password, because it will take many attempts to find out it. You can see that in the mail from AdminExile. Then it is just to change the password of AdminExile and they have to start again from scratch.

Posted: **Mon Dec 02, 2013 10:02 pm**

One script I've found really successful is zbblock. It blocks thousands of attempts and agents which are clearly malicious, SQL injection attacks, malicious behaviours, SPAMMY bahviours and much much more. Since, I've installed it, I barely see any of those anymore. And yes the log does tend to bloat up very quickly from the sheer number of malicious bot activity hitting websites! It's good for any type of PHP site. The slight drawback, it adds a bit of overheard to the response time. Milliseconds really, but if you're into that sort of thing, you'll notice it.

Here's a quick write up about it: http://www.dart-creations.com/joomla/jo ... -spam.html

HTH

Posted: **Sun Dec 15, 2013 4:00 am**

WebJIVE wrote:The challenge guys is when you have to protect 200 plus and growing. Can't touch every account like that. Has to be a method that works for all sites.

If you have cPanel you should have Configserver install their suite This will protect you very well. We use this on all our servers. Money well spend!

(If you have WHM you should enable BruteForceProtection)

Leo

Posted: **Sun Dec 15, 2013 6:15 pm**

Would it be a way to portscan or pingflood IPs to be excluded by their firewall ?
Or to help to discover a real mail address where to massively complaint as sort of DDoS mail bomb ? This war began by black hats and I'm tired to stay on defensive.

Posted: **Mon Dec 16, 2013 9:02 am**

epidemija wrote:is any good solution for joomla 1.5?

Migrate to Joomla 3.x than you have enough extensions available to support you

Leo

Posted: **Wed Apr 02, 2014 2:04 pm**

After some more tweaking, looks like we have a working rule now.

Code: Select all

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
<LocationMatch /administrator/index.php>
        # Setup brute force detection. 

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationMatch>

Posted: **Fri Jun 20, 2014 6:40 am**

WebJIVE wrote:After some more tweaking, looks like we have a working rule now.

Code: Select all

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
<LocationMatch /administrator/index.php>
        # Setup brute force detection. 

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationMatch>

Hi there WebJIVE...

I'm new to ModSecurity. May I know where do I put the rule i.e. which file?

Joomla! Forum - community, help and support

Joomla admin brute force password attempts

Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts

Re: Joomla admin brute force password attempts