Joomla admin brute force password attempts

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Joomla admin brute force password attempts

Post by WebJIVE » Thu Jul 18, 2013 1:42 pm

I don't know about others within the J community but, we have seen large spikes in brute for password attempts on our servers this year. Just like WP had previously..

We did some digging and it seems like these guys are building tools specifically for Joomla now like [removed]

Other than strong passwords, what are some measures you guys are using? We did a mod_security rule recently that we're testing now that might need some beefing up. Not sure.. I'll share here.

What this mod_sec rule does (designed to do) is watch the joomla administrator URL path and repeated attempts are recorded and then long delays are put into place if you get past so many attempts.

Code: Select all

<LocationMatch ^/administrator/index.php>
SecAction "initcol:ip=%{REMOTE_ADDR},pass,nolog"
SecRule RESPONSE_BODY "Username and password do not match" "phase:4,pass,setvar:
ip.failed_logins=+1,expirevar:ip.failed_logins=10"
SecRule IP:FAILED_LOGINS "@gt 3" "phase:4,allow,pause:3000"
</Location>
Last edited by mandville on Fri Jul 19, 2013 12:37 am, edited 1 time in total.
Reason: Removed link short urls are forbidden on this forum, as are links to hacker sites, sites promoting hacking, hacker 'kudos'
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Joomla admin brute force password attempts

Post by brian » Thu Jul 18, 2013 1:46 pm

Nothing new really

Personally I use admintools to block repeated attempts from the same ip
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: Joomla admin brute force password attempts

Post by WebJIVE » Thu Jul 18, 2013 1:53 pm

Thanks Brian. We have a large mix of J 1.0, J1.5 and J2.5 sites (over 200, and we have tried to get users to pay for upgrades. didn't fly) so, installing a plugin in each would be a big challenge plus testing. This is why we're opting for server level detection.

Tools like mod_security give us the ability to craft rules that monitor for this behavior. You have experience with modec rules?
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Joomla admin brute force password attempts

Post by brian » Thu Jul 18, 2013 1:55 pm

Mod sec is the way to go for you then
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla admin brute force password attempts

Post by Slackervaara » Thu Jul 18, 2013 2:00 pm

It could probably be blocked through htaccess, if you find a word that they always uses, but never is used in normal Joomla administration. It is very easy to do this.

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: Joomla admin brute force password attempts

Post by WebJIVE » Thu Jul 18, 2013 2:06 pm

SLacervaara.. Thanks.. We inspected the body of current Joomla versions (1.5 - 3) and Username and password do not match is in the body so, it's something we can scan for.
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla admin brute force password attempts

Post by Slackervaara » Thu Jul 18, 2013 2:31 pm

Blockage could be made like this I use for stopping SQL-injection.

RewriteCond %{QUERY_STRING} .*jos_.*
RewriteRule .* index.php [F]

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: Joomla admin brute force password attempts

Post by WebJIVE » Thu Jul 18, 2013 2:41 pm

Slakervaara.. Thx.. use use the Atomic Linux mod sec rules for this one too.. Our logs are FULL of attempted 1000's of attempted SQL injections..

Too many automated bots doing this these days. :P

I think its good to get this thread rolling on this subject so that a good mod_security rule can be vetted for password attempts.. This will help LOTS of Joomla hosting companies :)
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla admin brute force password attempts

Post by Slackervaara » Thu Jul 18, 2013 3:06 pm

Unfortunenately my webhost does not have mod security, so I have to rely on htaccess unless someone provides with mod_security written in php that I can install myself on the site. Sometimes it is not good to have the cheapest webhost.

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: Joomla admin brute force password attempts

Post by WebJIVE » Thu Jul 18, 2013 3:13 pm

Slackervaara. you are correct.. We are not a cheap hosting company but, we do nightly and monthly backups while also continually tweaking mod_security and other measures to prevent this. We also offer free site restores and free-unhack assistance just in case you do. But, we also charge $20 monthly for all that..

Having your own servers is nice but, it does come with headaches. Since we do primarily Joomla hosting, thats the security we target first and foremost. We also have strong firewall rules for attempted FTP and email account brute force attempts.. This locks a lot of clients out of their own site but, I would rather have a support ticket for that than a compromised email or FTP account.
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla admin brute force password attempts

Post by Slackervaara » Fri Jul 19, 2013 11:51 am

Nice webhost you have and something many need to consider. Do you have ftp-logs, so one can see, if someone got access to the site that way? Approximately, how big percentage of your Joomla sites are hacked and what is the prime reason behind the hack?

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: Joomla admin brute force password attempts

Post by WebJIVE » Fri Jul 19, 2013 12:28 pm

We have full logging! We're a standard cPanel shop as well so users have access to their logs. So far, we haven't had to use them.. knock on wood.. We also use exploit scanner from Config server which saves our bacon a lot. No hosting company is immune to new attacks but, we work really hard to keep things tight and clean.

Gets tiring sometimes but, we work hard for our customers.
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com

jawsmith
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Jul 05, 2011 9:22 am

Re: Joomla admin brute force password attempts

Post by jawsmith » Sat Jul 27, 2013 4:21 am

On Joomla 1.5 I do following:
- Hide the /administrator directory using the "Backend Token" plugin (http://archive.extensions.joomla.org/ex ... tion/13919) - apparently not available for newer Joomla versions and has therefore been moved to the archive. Works like a charm on Joomla 1.5. I think there are other plugins providing similar functionality as part of other stuff they also do.

- Add a 2 seconds delay on each user authentication: Add "sleep(2);" to the very beginning of the onAuthenticate() function in /plugins/authentication/joomla.php. That will:
-- Add the delay to both, front and back end
-- Reduce brute forcing ability for both, password and user name, without bothering legitimate users
-- Add a delay to both, failed as well as successful logins. The delay is necessary in both, the pass and fail branches of the password/user name check, since an attacker can check whether the response is slow and use that as an indicator - cutting down the delay time. But a delay in both branches eliminates that possibility.

User avatar
enbees
Joomla! Guru
Joomla! Guru
Posts: 860
Joined: Mon Sep 20, 2010 7:58 am
Location: Jakarta - Indonesia
Contact:

Re: Joomla admin brute force password attempts

Post by enbees » Sat Jul 27, 2013 5:12 pm

jawsmith wrote:On Joomla 1.5 I do following:
- Hide the /administrator directory using the "Backend Token" plugin (http://archive.extensions.joomla.org/ex ... tion/13919) - apparently not available for newer Joomla versions and has therefore been moved to the archive. Works like a charm on Joomla 1.5. I think there are other plugins providing similar functionality as part of other stuff they also do.
I love this and I think plugin can be replaced by a few line of php codes (though it will "hack" the joomla core a bit :))
Thanks.
Regards,
enbees, I'm here: http://koperasoft.com

User avatar
enbees
Joomla! Guru
Joomla! Guru
Posts: 860
Joined: Mon Sep 20, 2010 7:58 am
Location: Jakarta - Indonesia
Contact:

Re: Joomla admin brute force password attempts

Post by enbees » Sat Jul 27, 2013 5:26 pm

brian wrote:Nothing new really

Personally I use admintools to block repeated attempts from the same ip
Yes. That is the way I would go too. Thanks.

Well actually, I use my ftp to edit the .htaccess to block a list of these IP since it a lot easier for me.
Regards,
enbees, I'm here: http://koperasoft.com

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: Joomla admin brute force password attempts

Post by WebJIVE » Sat Jul 27, 2013 8:37 pm

The challenge guys is when you have to protect 200 plus and growing. Can't touch every account like that. Has to be a method that works for all sites.
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com

robato
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Sun Jan 31, 2010 6:06 pm

Re: Joomla admin brute force password attempts

Post by robato » Mon Nov 25, 2013 11:38 am

Maybe you can find a solution here:
http://anything-digital.com/blog/securi ... tacks.html

The big problem is that the new brute force attacks uses many different IP. So blocking on IP isn't good enough!

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla admin brute force password attempts

Post by Slackervaara » Mon Nov 25, 2013 6:58 pm

AdminExile has protection against brute force attacks and blocks the ip-address after 3 attempts for 5 minutes and the administrator can get a mail with a report of the ip-address. I have now this on my site and gets 5-mail per day.
http://extensions.joomla.org/extensions ... tion/15711

robato
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Sun Jan 31, 2010 6:06 pm

Re: Joomla admin brute force password attempts

Post by robato » Mon Nov 25, 2013 7:52 pm

Does these solutions really protect against distributed brute attacks? They only block one ip-adress, see further explanation here: http://blog.sucuri.net/2013/09/big-incr ... sites.html

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla admin brute force password attempts

Post by Slackervaara » Mon Nov 25, 2013 8:01 pm

AdminExile does take this too. Because AdminExile has a second URL-password, but even if they don't use this and just try to access the admin area the normal way they get banned from the site for 5 minutes. So its impossible for them to succeed.

LouFlo
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Thu Nov 14, 2013 2:50 pm

Re: Joomla admin brute force password attempts

Post by LouFlo » Sun Dec 01, 2013 8:53 am

^ 5 minutes aren't enough. I'm managing a site attacked once a day by different IPs owned by a same company since July. Attackers are alternating IPs. That's just for yesterday :

Code: Select all

146.0.74.234 - [30/Nov/2013:00:01:10 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.208 - [30/Nov/2013:01:16:32 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.218.37 - [30/Nov/2013:02:34:48 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.25 - [30/Nov/2013:03:51:25 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.28 - [30/Nov/2013:05:13:00 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.218.37 - [30/Nov/2013:06:26:56 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:07:44:38 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.25 - [30/Nov/2013:09:00:09 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:10:20:12 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.212 - [30/Nov/2013:11:38:34 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:12:59:29 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.208 - [30/Nov/2013:14:18:29 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:15:40:37 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.206 - [30/Nov/2013:16:59:38 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
5.39.219.27 - [30/Nov/2013:18:21:33 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.204 - [30/Nov/2013:19:42:03 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.74.170 - [30/Nov/2013:20:59:10 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.79.23 - [30/Nov/2013:22:22:25 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
146.0.73.156 - [30/Nov/2013:23:37:06 +0100] "GET /administrator/index.php?option=com_login HTTP/1.1"
As you can see, AdmineExile penalty is of no use here, only strong Key + Value has very nice effect. I even never was mailed for this attack since July, I just discovered it from the logs because another successful hack.

So I think it would be essential to be able to rename /administrator/ folder and to make another as bot-trap.
Just imagine a chain like : /g1l9P76z/index.php?YuRh9A2o1q=xT62Bta9z8 to be able to login. /administrator/ folder renaming + bot-trap should be native in Joomla! directly at first installation. With Encrypt configuration to secure sites without SSL.

Also something essential is to subscribe to a service like http://www.stopforumspam.com/

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla admin brute force password attempts

Post by Slackervaara » Sun Dec 01, 2013 11:23 am

Those attacks are innocent, because they are not aware that AdminExile password is needed and they are not trying to figure out that. They just tries to log in the normal way in administrator. You can also increase the 5 minutes in AdminExile to a longer time.

LouFlo
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Thu Nov 14, 2013 2:50 pm

Re: Joomla admin brute force password attempts

Post by LouFlo » Sun Dec 01, 2013 11:42 am

^ Of course I did ! :D
And because they are using always same IPs they are blocked with htaccess from whole domain.
But some others could be a true danger.
I also noticed regular attempts to /wp-admin/ - /blog/wp-admin/ - /wordpress/wp-admin/ - /wp/wp-admin/ from various IPs I would like to catch putting these in a bot-trap and to signal to stopforumspam and/or honeypot project, akismet, etc. because I'm certain everyone would be so quiet contributing with a global action. 8)

User avatar
Slackervaara
Joomla! Ace
Joomla! Ace
Posts: 1115
Joined: Sat Aug 13, 2011 6:27 am

Re: Joomla admin brute force password attempts

Post by Slackervaara » Mon Dec 02, 2013 7:41 pm

In addition if someone succeds to find out the password for admin area. You will know that because AdminExile will report that when they fails to find out the real password, because it will take many attempts to find out it. You can see that in the mail from AdminExile. Then it is just to change the password of AdminExile and they have to start again from scratch.

User avatar
dattard
Joomla! Ace
Joomla! Ace
Posts: 1035
Joined: Tue Apr 11, 2006 7:29 pm
Contact:

Re: Joomla admin brute force password attempts

Post by dattard » Mon Dec 02, 2013 10:02 pm

One script I've found really successful is zbblock. It blocks thousands of attempts and agents which are clearly malicious, SQL injection attacks, malicious behaviours, SPAMMY bahviours and much much more. Since, I've installed it, I barely see any of those anymore. And yes the log does tend to bloat up very quickly from the sheer number of malicious bot activity hitting websites! It's good for any type of PHP site. The slight drawback, it adds a bit of overheard to the response time. Milliseconds really, but if you're into that sort of thing, you'll notice it.

Here's a quick write up about it: http://www.dart-creations.com/joomla/jo ... -spam.html

HTH
https://www.collectiveray.com - We make Joomla and WordPress Easy: Tutorials, Tips and Tricks, Lots of Free Modules incl. Easy Paypal, Popin Window, Random Flash, Google AdSense, Slide Menu (dropdown), 2CO / Paypal payment, [youtube] module, and more!

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Joomla admin brute force password attempts

Post by leolam » Sun Dec 15, 2013 4:00 am

WebJIVE wrote:The challenge guys is when you have to protect 200 plus and growing. Can't touch every account like that. Has to be a method that works for all sites.
If you have cPanel you should have Configserver install their suite This will protect you very well. We use this on all our servers. Money well spend!

(If you have WHM you should enable BruteForceProtection)

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

LouFlo
Joomla! Intern
Joomla! Intern
Posts: 66
Joined: Thu Nov 14, 2013 2:50 pm

Re: Joomla admin brute force password attempts

Post by LouFlo » Sun Dec 15, 2013 6:15 pm

Would it be a way to portscan or pingflood IPs to be excluded by their firewall ?
Or to help to discover a real mail address where to massively complaint as sort of DDoS mail bomb ? This war began by black hats and I'm tired to stay on defensive.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20651
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Joomla admin brute force password attempts

Post by leolam » Mon Dec 16, 2013 9:02 am

epidemija wrote:is any good solution for joomla 1.5?
Migrate to Joomla 3.x than you have enough extensions available to support you

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

User avatar
WebJIVE
Joomla! Explorer
Joomla! Explorer
Posts: 356
Joined: Thu Sep 15, 2005 6:04 pm
Location: Little Rock, Arkansas
Contact:

Re: Joomla admin brute force password attempts

Post by WebJIVE » Wed Apr 02, 2014 2:04 pm

After some more tweaking, looks like we have a working rule now. :)

Code: Select all

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
<LocationMatch /administrator/index.php>
        # Setup brute force detection. 

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationMatch>
Little Rock SEO, Arkansas Web Design, Hosting, and Review Management
http://www.web-jive.com

joshuatan17
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Jun 20, 2014 6:37 am

Re: Joomla admin brute force password attempts

Post by joshuatan17 » Fri Jun 20, 2014 6:40 am

WebJIVE wrote:After some more tweaking, looks like we have a working rule now. :)

Code: Select all

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
<LocationMatch /administrator/index.php>
        # Setup brute force detection. 

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationMatch>
Hi there WebJIVE...

I'm new to ModSecurity. May I know where do I put the rule i.e. which file?


Locked

Return to “Security in Joomla! 2.5”