Admin Security

The place to talk about things that are related to CMS Made simple, but don't fit anywhere else.
Post Reply
MantaPro
Forum Members
Forum Members
Posts: 78
Joined: Sun Feb 03, 2008 8:14 pm

Admin Security

Post by MantaPro »

Anyone else experiencing "bots" trying to log in to Admin ?

I noticed a while ago on a number of my CMSMS installs (all v2.2.10 +) that the admin log showed some failed logins, but from IP addresses that certainly aren't me nor my clients.

I installed a simple event linked UDT similar to https://cmscanbesimple.org/blog/admin-f ... tification so I now get emails whenever "someone" tries. Sometimes I get 3 or 4 attempts per website per day - nearly always from the Ukraine - they never succeed.

Whenever they try I add yet another IP address to my .htaccess file to block them from trying again - but doubtless they have access to far more IP addresses than I have patience to keep adding to the .htaccess

There is no doubt that it is dumb bot probing mainly because they keep repeating the same failed sign in and also it is only occasional rather than brute force.

If this keeps up I'll change the game rather than keep playing the "add to htaccess block list" game. I am aware that I can easilly
  • Rename the /admin folder they know it is cmsms therefore the know admin access is via URL with a "/admin" suffix - so I can rename the folder and update config file - and then just revert to the /admin/ naming whenever I do a core upgrade
  • Other easy win would be to add a .htaccess within /admin that limits access to only a very short list of IP locations approved to do admin - probably less than 10 fixed public IP addresses that either I or my clients do admin from - and it is easy to edit this list if I need to do some admin from a bespoke location
So yes I have options - but if these are bots and are they are programmed to recognise cmsms (and doubtless WP; 4square; WIX etc etc) then presumably many others here are also get failed login probing on your installs too ?
User avatar
paulbaker
Dev Team Member
Dev Team Member
Posts: 1437
Joined: Sat Apr 18, 2009 10:09 pm
Location: Maidenhead, UK
Contact:

Re: Admin Security

Post by paulbaker »

I use the admin login notification code you linked to on most of my sites. I only see correct logins or logins where a legitimate user gets their password wrong and a few seconds later gets it correct.

I always rename the admin folder. To me it's a no-brainer. So easy to do and so difficult for an attacker to guess what you have renamed it to. They can't break in through the front door if they can't find the front door in the first place. ;)
To copy System Information to the forum:
https://docs.cmsmadesimple.org/troubles ... nformation

CMS Made Simple Geekmoots attended:
Nottingham, UK 2012 | Ghent, Belgium 2015 | Leicester, UK 2016
JamesT
Forum Members
Forum Members
Posts: 131
Joined: Tue Sep 08, 2015 10:41 am

Re: Admin Security

Post by JamesT »

MantaPro wrote:Anyone else experiencing "bots" trying to log in to Admin ?
Actually, yes. Plenty of "admin" login attempts starting Feb 11, I've not noticed this before.

Source IP range ranges are 212.156.0.0/18 (TurkTelekom) and 213.248.148.0/24 (Vodafone Net DSL Block - MANISA).
JamesT
Forum Members
Forum Members
Posts: 131
Joined: Tue Sep 08, 2015 10:41 am

Re: Admin Security

Post by JamesT »

I don't even have a user called "admin", so they failed at the first hurdle.
Post Reply

Return to “The Lounge”