Protect Against Brute-force/Proxy Login Attacks

For the past week, I’ve been monitoring activity from a set of IP addresses involved with brute-force login attacks. Brute-force login attacks involve systematic guessing of passwords using various common usernames such as “admin” and “username”. So for example, an attack will target an array of sites, use “admin” as the username, and then make numerous attempts at “guessing” your password. And to obfuscate their malicious activity, the attack is executed from multiple IP addresses, either via proxy or possibly a botnet.

          There are some good plugins and scripts that protect your login page against brute-force attacks, but some of them do so by blocking the attacker’s IP address. For example, if someone or something makes 10 unsuccessful login requests, a login-protection script may automatically block the associated IP address and thwart the attack. So by using multiple IPs, the attacker increases the number of “undetected” login attempts and decreases the likelihood of getting blocked.

Best protection against bruteforce attacks

The best protection of course is to choose strong passwords and change them regularly. With strong passwords, the chance of a successful brute-force login-attack decreases to virtually zero. And, if you’re heavily targeted (or just paranoid), additional measures may be taken to protect against login attacks. Setting up secondary HTTP password protection is an excellent way to further lock things down. Either of these strategies should protect your site against brute-force attacks, but we can do even more with a bit of .htaccess.

Specific protection for a recent bruteforce/proxy threat

Most brute-force login attacks target a general collection of websites, using common usernames such as the dreaded “admin”. For example, I’ve been monitoring a recent wave of brute-force/proxy login attacks targeting a variety of different sites. By using “admin” as the username, they’re not even in the ballpark, so it’s most likely not a specifically targeted attack.

Scanning the server logs, I’m seeing an increase in the number of failed login attempts for an array of sites. Someone’s trying to get in, and they’re using multiple IPs to make the requests. At first I wasn’t sure how many different IPs were involved, but there were literally so many requests that I began noticing a pattern of similar IPs. So I began logging the different IPs associated with this recent wave of brute-force login attacks.

After two weeks enduring and monitoring the attacks, the botnet seems comprised of the following IP addresses:

2.112.195.83
24.37.22.114
24.199.189.66
37.153.192.49
64.61.155.42
78.32.129.58
79.39.183.124
80.35.16.63
83.70.178.60
90.182.73.81
94.113.137.129
145.253.122.66
131.109.59.90
151.8.12.213
188.13.39.226
188.219.193.186
212.121.116.65
212.183.165.15
217.7.249.243
217.111.161.229
217.128.175.91

Each of these IPs continues to attempt brute-force login attacks, and may be blocked with the following slice of .htaccess:

# 2012 bruteforce botnet
<limit GET POST PUT>
	Order Allow,Deny
	Allow from all
	Deny from 2.112.195.83
	Deny from 24.37.22.114
	Deny from 24.199.189.66
	Deny from 37.153.192.49
	Deny from 64.61.155.42
	Deny from 78.32.129.58
	Deny from 79.39.183.124
	Deny from 80.35.16.63
	Deny from 83.70.178.60
	Deny from 90.182.73.81
	Deny from 94.113.137.129
	Deny from 145.253.122.66
	Deny from 131.109.59.90
	Deny from 151.8.12.213
	Deny from 188.13.39.226
	Deny from 188.219.193.186
	Deny from 212.121.116.65
	Deny from 212.183.165.15
	Deny from 217.7.249.243
	Deny from 217.111.161.229
	Deny from 217.128.175.91
</limit>

When placed in the .htaccess file in either the root directory or the directory housing your login page(s), this tasty slab of Deny directives will block this recent bruteforce proxy or botnet from even accessing your pages. It’s entirely plug-n-play — no editing required. Just remember to remove this “mini-blacklist” at some point in the future, as IPs and malicious activity tend to change over time.

Note If any of these IPs belong to anyone reading this, your machine is either hacked or a proxy server and is being used for malicious intent on the Internets.