Knock, Knock said the Bot

Bad Bots are knocking on your website door

Brute Force Login Attacks: Blocking Bad Bots

What is a brute force login attack?

A brute force attack typically involves automated software (bots) making repeated attempts to access their target. In the case of brute force login attacks, this is usually against the wp-login.php page.

The bots repeatedly try different combinations of user names (i.e. admin, administraotr, etc.) and passwords in an attempt to login to your website.

If successful, they can (depending on the permissions granted to the compromised user account), install malware, a keylogger (to capture keyboard strokes) or even ransomware.

In the last week I’ve successfully dealt with brute force login attempts against two different websites.

Now if you run WordPress on your site, you might think, no big deal, I have a plugin installed (e.g. Wordfence, iThemes, etc.) so nothing to worry about. WRONG.

You might also think, I’ve got premium hosting support, so I’m protected. NOPE.

Both client sites had a security plugin, premium support and more, i.e. WAF (web application firewall) and a reverse proxy (Cloudflare).

Now to be sure, the above security measures DID perform as they should and helped to mitigate the affects of the attacks.

BUT here’s the problem.

Even if brute force attempts against your login are effectively blocked, they can still suck the life out of your server’s processor and/or bandwidth.

And this can result in legitimate accounts being locked out, site access slowing to a crawl, bandwidth limits being exceeded (more about this below) and potentially other annoying or profit damaging affects.

How to protect your website from brute force login attacks.

First the bad news. It’s simply impossible to prevent any public facing website from ever experiencing these brute force attacks.

Blocking these attempts is not too difficult if your site is running WordPress. Follow the steps below.

Install a WordPress security plugin

You can install a security plugin such as Wordfence Security, Ithemes Security,All In One WP Security & Firewall, etc. and most of these are capable of blocking brute force login attempts. However, this should be your last line of defense.

Enable cPHulk Brute Force Protection in WHM.

WHM/Cpanel provides the cPHulk Brute Force Protection service to monitor and block automated software attacks against

cPanel services (Port 2083).
WHM services (Port 2087).
Mail services (Dovecot® and Exim).
The PureFTPd service.
Secure Shell (SSH) access.

Make sure cPHulk is enabled in WHM as displayed in the following image.

Enable cphulk brute force protection service in WHM

Once enabled, you can view events in the log file (cphulkd.log) located here: /usr/local/cpanel/logs
Note that you will need root access permissions.

Here’s what a brute force event may look like in the log. Note that the remote ip is highlighted in red. The image captures only a small part of all these attempts from the same remote ip.

cphulk brute force login attacks in events

Now that we have identified the attacking ip, we have a couple options to enhance future brute force attacks.

Block brute force login attacks in your server firewall

From the information gathered above, we can block the offending remote ip. While this will block that ip from future attacks, hackers and bots typically have a large number of ip addresses available. So while blocking a single ip may be helpful, it can easily be bypassed.

But, from the offending ip, we can determine the country of origin. Then, if your site does not receive sales or other benefits from that country, we can block the entire country. This can be done in your server’s firewall.

Ask your web hosting support to block the country via the iptables utility as it is less resource intensive than doing so through Apache.

Use an external firewall to filter traffic before it gets to your server

Implementing the steps above will go a long way to mitigating the affects of brute force login attacks against your website. However, server resources will still be consumed in the process.

To protect our server and it’s resources further, we can implement an external firewall. Examples are incapsula, Sucuri and the one we’ll be using here, the free version of Cloudflare.

Using the free version of Cloudflare, we can block the same ip(s) that we blocked on our server via the server firewall or the WordPress security plugin. This will give us an extra layer of protection and best of all, won’t require using any of our server’s resources to do so.

Here’s what that would look like, after logging in to Cloudflare.

block ip via Cloudflare

But just like on our server firewall, we can take this a step further by “Challenging” the entire Country where the ip address originates.

However, unlike our server firewall where we can actually block a country, in Cloudflare, country blocking requires the Enterprise version of Cloudflare, a far too expensive proposition for the average business.

But using the free version of Cloudflare, we can still “challenge” all site visitors (and bots) from accessing our site. Configuring a Challenge rule in the Cloudflare firewall will present a captcha that must be solved. Doing so at the Country level will enforce this captcha rule to all attempts from that Country. While some sophisticated bots and/or manual attempts may successfully bypass the captcha and gain access to your site, the majority of bad bots will fail the captcha or simply move on to an easier target.

This is what a country “Challenge” looks like in the Cloudflare firewall.

cloudflare country challenge

and once activated, we can see the results of this rule in our Events tab:

Cloudflare country blocking events

In conclusion

While doing any one of the above may prove effective against brute force login attempts, using all of these steps will give us “defense in depth” using a layered approach while mitigating our current as well as future server resource usage in the process.

Bonus Tip: Monitor attacks with real-time notifications

How to get real time notifications of brute force attempts (or other critical notifications) attacks against your website login.

Click on Contact Manager in the left menu

monitor brute force login attacks using server notifications

At a minimum, you should configure notifications via email and sms.

Here’s the format to get email notifications via sms for some of the major carriers. Contact your carrier if it’s not listed.

send email via sms

Done for You Security

Own a local business in the US? If you own a local service business, e.g. HVAC, plumbing, electrical or another building trade, get this level of done for you security for FREE when you sign up for one of my LOCAL marketing packages. Click to schedule a quick phone call to see if we’re a fit.

Get Er Done