KNOWNHOST WIKI

User Tools

Site Tools


security:misc:checking-access-logs-for-abuse

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
security:misc:checking-access-logs-for-abuse [2019/06/06 17:18]
Jonathan K. W. [Spam Scripts]
security:misc:checking-access-logs-for-abuse [2019/10/11 14:58] (current)
Karson N.
Line 136: Line 136:
 This will output a nice list of the frequency of the IPs hitting which sites' wp-login.php via what request method (POST/​GET) ​ for the current day formatted similar to the following: This will output a nice list of the frequency of the IPs hitting which sites' wp-login.php via what request method (POST/​GET) ​ for the current day formatted similar to the following:
  
-{{{{:​security:​misc:​wpbrute.png?​direct&900|}}+{{{{:​security:​misc:​wpbrute.png?​nolink&900|}}
  
 You can see that the IPs responsible for the most attempts at bruteforcing your Wordpress login are those listed at the bottom. You can then block these IPs accordingly* until you can implement a more effective protection against this type of abuse. ​ You can see that the IPs responsible for the most attempts at bruteforcing your Wordpress login are those listed at the bottom. You can then block these IPs accordingly* until you can implement a more effective protection against this type of abuse. ​
Line 182: Line 182:
 This will list output showing the  number of requests that each IP is responsible for and to what site. You may be able to temporarily block IPs based on this output and then enable protection on the xmlrpc.php file for more permanent resolution. This will list output showing the  number of requests that each IP is responsible for and to what site. You may be able to temporarily block IPs based on this output and then enable protection on the xmlrpc.php file for more permanent resolution.
  
-{{{{:​security:​misc:​xmlrpc.png?​direct&900|}}+{{{{:​security:​misc:​xmlrpc.png?​nolink&900|}}
  
 ----- -----
Line 229: Line 229:
 Running a WHOIS on the IPs in the range 66.249.66.* results in something like the following (screenshot truncated for the sake of brevity): Running a WHOIS on the IPs in the range 66.249.66.* results in something like the following (screenshot truncated for the sake of brevity):
  
-{{{{:​security:​misc:​whois.png?​direct&750|}}+{{{{:​security:​misc:​whois.png?​nolink&750|}}
  
 However, what about that last IP that is not like the others? However, what about that last IP that is not like the others?
  
-{{{{:​security:​misc:​twip.png?​direct&750|}}+{{{{:​security:​misc:​twip.png?​nolink&750|}}
  
  
Line 311: Line 311:
   define('​DISABLE_WP_CRON',​ true);   define('​DISABLE_WP_CRON',​ true);
  
-{{{{:​security:​misc:​afterwpcron.png?​direct&500|}}+{{{{:​security:​misc:​afterwpcron.png?​nolink&800|}}
  
 Next, setup a real cron job to execute the wp-cron.php. How often you set it to execute is really dependent on the site. You could check the contents of the cron in the wp_options table to determine the smallest time frame between scheduled tasks and then run the cron that often. A default Wordpress blog with low traffic should be fine with the cron running every 15 minutes to an hour. You can adjust as you see fit.  Next, setup a real cron job to execute the wp-cron.php. How often you set it to execute is really dependent on the site. You could check the contents of the cron in the wp_options table to determine the smallest time frame between scheduled tasks and then run the cron that often. A default Wordpress blog with low traffic should be fine with the cron running every 15 minutes to an hour. You can adjust as you see fit. 
Line 321: Line 321:
 cPanel has a very helpful interface for configuring cronjobs if you are unfamiliar with the syntax. ​ cPanel has a very helpful interface for configuring cronjobs if you are unfamiliar with the syntax. ​
  
-{{{{:​security:​misc:​cpcrons.png?​direct&800|}}+{{{{:​security:​misc:​cpcrons.png?​nolink&800|}}
  
 <WRAP center round tip 60%> <WRAP center round tip 60%>
Line 361: Line 361:
 You may see results like this: You may see results like this:
  
-{{{{:​security:​misc:​domainaccesslogscontactformabuse.png?​direct&​1200|}}+{{{{:​security:​misc:​domainaccesslogscontactformabuse.png?​nolink&​1200|}}
  
 Adding reCaptcha and blocking the responsible IP (provided the attacker was using the same IP and not a myriad of proxy IPs) should be quite effective at mitigating this attack. ​ Adding reCaptcha and blocking the responsible IP (provided the attacker was using the same IP and not a myriad of proxy IPs) should be quite effective at mitigating this attack. ​
security/misc/checking-access-logs-for-abuse.1559841506.txt.gz · Last modified: 2019/06/06 17:18 by Jonathan K. W.