Knock, Knock said the BotBad Bots are knocking on your website door
Brute Force Login Attacks: Blocking Bad Bots
What is a brute force login attack?
BUT here’s the problem.
How to protect your website from brute force login attacks.
Install a WordPress security plugin
Enable cPHulk Brute Force Protection in WHM.
WHM/Cpanel provides the cPHulk Brute Force Protection service to monitor and block automated software attacks against
- cPanel services (Port
- WHM services (Port
- Mail services (Dovecot® and Exim).
- The PureFTPd service.
- Secure Shell (SSH) access.
Make sure cPHulk is enabled in WHM as displayed in the following image.
Once enabled, you can view events in the log file (cphulkd.log) located here: /usr/local/cpanel/logs
Note that you will need root access permissions.
Here’s what a brute force event may look like in the log. Note that the remote ip is highlighted in red. The image captures only a small part of all these attempts from the same remote ip.
Now that we have identified the attacking ip, we have a couple options to enhance future brute force attacks.
Block brute force login attacks in your server firewall
From the information gathered above, we can block the offending remote ip. While this will block that ip from future attacks, hackers and bots typically have a large number of ip addresses available. So while blocking a single ip may be helpful, it can easily be bypassed.
But, from the offending ip, we can determine the country of origin. Then, if your site does not receive sales or other benefits from that country, we can block the entire country. This can be done in your server’s firewall.
Ask your web hosting support to block the country via the iptables utility as it is less resource intensive than doing so through Apache.
Use an external firewall to filter traffic before it gets to your server
Implementing the steps above will go a long way to mitigating the affects of brute force login attacks against your website. However, server resources will still be consumed in the process.
To protect our server and it’s resources further, we can implement an external firewall. Examples are incapsula, Sucuri and the one we’ll be using here, the free version of Cloudflare.
Using the free version of Cloudflare, we can block the same ip(s) that we blocked on our server via the server firewall or the WordPress security plugin. This will give us an extra layer of protection and best of all, won’t require using any of our server’s resources to do so.
Here’s what that would look like, after logging in to Cloudflare.
But just like on our server firewall, we can take this a step further by “Challenging” the entire Country where the ip address originates.
However, unlike our server firewall where we can actually block a country, in Cloudflare, country blocking requires the Enterprise version of Cloudflare, a far too expensive proposition for the average business.
But using the free version of Cloudflare, we can still “challenge” all site visitors (and bots) from accessing our site. Configuring a Challenge rule in the Cloudflare firewall will present a captcha that must be solved. Doing so at the Country level will enforce this captcha rule to all attempts from that Country. While some sophisticated bots and/or manual attempts may successfully bypass the captcha and gain access to your site, the majority of bad bots will fail the captcha or simply move on to an easier target.
This is what a country “Challenge” looks like in the Cloudflare firewall.
and once activated, we can see the results of this rule in our Events tab:
While doing any one of the above may prove effective against brute force login attempts, using all of these steps will give us “defense in depth” using a layered approach while mitigating our current as well as future server resource usage in the process.
Bonus Tip: Monitor attacks with real-time notifications
How to get real time notifications of brute force attempts (or other critical notifications) attacks against your website login.
Log in to WHM and in the search box, search for contact.
Click on Contact Manager in the left menu
At a minimum, you should configure notifications via email and sms.
Here’s the format to get email notifications via sms for some of the major carriers. Contact your carrier if it’s not listed.
Done for You Security
Own a local business in the US? If you own a local service business, e.g. HVAC, plumbing, electrical or another building trade, get this level of done for you security for FREE when you sign up for one of my LOCAL marketing packages. Click to schedule a quick phone call to see if we’re a fit.