I noticed a while ago on a number of my CMSMS installs (all v2.2.10 +) that the admin log showed some failed logins, but from IP addresses that certainly aren't me nor my clients.
I installed a simple event linked UDT similar to https://cmscanbesimple.org/blog/admin-f ... tification so I now get emails whenever "someone" tries. Sometimes I get 3 or 4 attempts per website per day - nearly always from the Ukraine - they never succeed.
Whenever they try I add yet another IP address to my .htaccess file to block them from trying again - but doubtless they have access to far more IP addresses than I have patience to keep adding to the .htaccess
There is no doubt that it is dumb bot probing mainly because they keep repeating the same failed sign in and also it is only occasional rather than brute force.
If this keeps up I'll change the game rather than keep playing the "add to htaccess block list" game. I am aware that I can easilly
- Rename the /admin folder they know it is cmsms therefore the know admin access is via URL with a "/admin" suffix - so I can rename the folder and update config file - and then just revert to the /admin/ naming whenever I do a core upgrade
- Other easy win would be to add a .htaccess within /admin that limits access to only a very short list of IP locations approved to do admin - probably less than 10 fixed public IP addresses that either I or my clients do admin from - and it is easy to edit this list if I need to do some admin from a bespoke location