Page 1 of 1

Admin Security

Posted: Tue Feb 11, 2020 11:21 pm
by MantaPro
Anyone else experiencing "bots" trying to log in to Admin ?

I noticed a while ago on a number of my CMSMS installs (all v2.2.10 +) that the admin log showed some failed logins, but from IP addresses that certainly aren't me nor my clients.

I installed a simple event linked UDT similar to ... tification so I now get emails whenever "someone" tries. Sometimes I get 3 or 4 attempts per website per day - nearly always from the Ukraine - they never succeed.

Whenever they try I add yet another IP address to my .htaccess file to block them from trying again - but doubtless they have access to far more IP addresses than I have patience to keep adding to the .htaccess

There is no doubt that it is dumb bot probing mainly because they keep repeating the same failed sign in and also it is only occasional rather than brute force.

If this keeps up I'll change the game rather than keep playing the "add to htaccess block list" game. I am aware that I can easilly
  • Rename the /admin folder they know it is cmsms therefore the know admin access is via URL with a "/admin" suffix - so I can rename the folder and update config file - and then just revert to the /admin/ naming whenever I do a core upgrade
  • Other easy win would be to add a .htaccess within /admin that limits access to only a very short list of IP locations approved to do admin - probably less than 10 fixed public IP addresses that either I or my clients do admin from - and it is easy to edit this list if I need to do some admin from a bespoke location
So yes I have options - but if these are bots and are they are programmed to recognise cmsms (and doubtless WP; 4square; WIX etc etc) then presumably many others here are also get failed login probing on your installs too ?

Re: Admin Security

Posted: Thu Feb 13, 2020 11:47 pm
by paulbaker
I use the admin login notification code you linked to on most of my sites. I only see correct logins or logins where a legitimate user gets their password wrong and a few seconds later gets it correct.

I always rename the admin folder. To me it's a no-brainer. So easy to do and so difficult for an attacker to guess what you have renamed it to. They can't break in through the front door if they can't find the front door in the first place. ;)

Re: Admin Security

Posted: Fri Feb 14, 2020 2:37 pm
by JamesT
MantaPro wrote:Anyone else experiencing "bots" trying to log in to Admin ?
Actually, yes. Plenty of "admin" login attempts starting Feb 11, I've not noticed this before.

Source IP range ranges are (TurkTelekom) and (Vodafone Net DSL Block - MANISA).

Re: Admin Security

Posted: Fri Feb 14, 2020 6:41 pm
by JamesT
I don't even have a user called "admin", so they failed at the first hurdle.