How botnet attack looks like and what you can do about it
tail -f -n50 /usr/local/apache/domlogs/* | egrep "POST"
And here's the picture of result:
I have about 10 Wordpress sites and here we see that about every 2 seconds there is a request generated that submits "login" for on pretty much each of these sites. Each request looks like this:
201.245.226.147 - - [13/May/2013:20:45:23 -0400] "POST /wp-login.php HTTP/1.0" 200 3390 "http://www.example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
This is typical case of programmable botnet in action. All these requests are from "innocent" infected machines that are doing what remote botnet owner is commanding them to do. In this case - trying to guess password to my sites.
And YOURS TOO!
If you'd check your raw apache logs (presuming your websites are somewhat ranked and attract half-decent traffic) - you'll see similar picture.
We all are under constant attack and botnets and scammers are trying to break into our machines day and night.
How to protect ourselves?
Here's what I did:
1. I added free captcha plugin to every form on each of my wordpress sites. This is super simple and now botnet's task is much more complicated.
2. Each attacker's IP is different so I cannot protect server on a level of IPTables. But I noticed that "User Agent" used by these bots is the same:
So I edited my .htaccess file in this manner:
# Botnet blocker <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} POST RewriteCond %{HTTP_USER_AGENT} Mozilla/5\.0\ \(Windows\ NT\ 6\.1;\ rv\:19\.0\)\ Gecko/20100101\ Firefox/19\.0 [NC] RewriteCond %{REQUEST_URI} wp-login\.php RewriteRule .* - [F] </IfModule> # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
The request kicks bot away and saves my server's bandwidth.
3. If you have SSL certificate for your website, add this to your wp-config.php file:
define('FORCE_SSL_ADMIN', true);
Hope it helps a bit!
Gleb
www.bestinsuranceguru.com