Page 1 of 2
brute force attack on /admin
Posted: Fri Jan 08, 2021 4:17 pm
by hostking
We have a strange issue. Hoping someone has a modsecurity rule or something to stop this on our shared hosting servers. We already implemented a Captcha on the site on the login page but does not seem to stop this.
We tried three different modsecurity ruleset, OWASP , Comodo and even Atomic (PAID) and none seem to stop this attack on /admin folder.
I assume we may have to use some reg expression but my knowledge is not so good at that.
Unless someone can recommend a technique or way to stop this accross multiple websites on a server?
180.252.180.250 - - [08/Jan/2021:10:15:43 +0200] "POST /admin/ HTTP/1.1" 406 455 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
122.173.51.255 - - [08/Jan/2021:10:15:46 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
106.201.153.52 - - [08/Jan/2021:10:15:46 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
82.213.229.161 - - [08/Jan/2021:10:15:49 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Re: brute force attack on /admin
Posted: Fri Jan 08, 2021 9:18 pm
by ADD Creative
Is creating a allow list of IP addresses and denying access to IP addresses not on that list an option?
Is renaming the admin folder an option?
Also see.
https://github.com/opencart/opencart/issues/8710
Re: brute force attack on /admin
Posted: Fri Jan 08, 2021 9:45 pm
by JNeuhoff
Create an '
admin/.htaccess' file with this in it:
Code: Select all
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is your IP-address from where to access your OpenCart admin backend. Nobody else will be able to access you OpenCart admin, they get 403s instead!
Re: brute force attack on /admin
Posted: Fri Jan 08, 2021 10:00 pm
by straightlight
JNeuhoff wrote: ↑Fri Jan 08, 2021 9:45 pm
Create an '
admin/.htaccess' file with this in it:
Code: Select all
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is your IP-address from where to access your OpenCart admin backend. Nobody else will be able to access you OpenCart admin, they get 403s instead!
By returning a 403 response, invaders are also let known that there's an implicit deny in the mean time, however.
Re: brute force attack on /admin
Posted: Fri Jan 08, 2021 10:29 pm
by IP_CAM
Or use something like this, it's a relatively simple, but very efficient way,
to keep 'em from giving you a hard time. I use a similar Mod for years ...
(OCMOD) Secure Admin URL
Set the Key and additional value to protect your Admin URL preventing unauthorized entry.
https://www.opencart.com/index.php?rout ... n_id=40693
Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 1:53 am
by johnp
Stick the free version of Ninja Firewall on. I use it on all my OC sites.
https://nintechnet.com/ninjafirewall/pro-edition/
Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 4:46 am
by IP_CAM
johnp wrote: ↑Sat Jan 09, 2021 1:53 am
Stick the free version of Ninja Firewall on. I use it on all my OC sites.
Well, I tried their Test Site, but despite of adding their 'robots' content,
it told me, not to be able, to find their 'entry' in my robots file.
I still rely on my .htaccess file, blocking about 750'000 IP-Addresses so
far, to keep my Sites work. I again had an attack-attempt last night,
mainly from russian and some south-american IP's, with no Site errors,
exept for leaving their IP's in my Logs. It just resulted in adding about
45 IP-Blocks, like 3.133.99 (= 11'475 IP's) more to the .htaccess file. In
addition to 'redirect' every single 'link', to avoid such, to ever access
the site again, wherever it might come from ...

It's just one of the daily Job's, if one really cares, to keep a Site alive ...
---

Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 4:49 am
by johnp
I wouldn't be without it Ernie. Download the free one and give it a try. It's very good.

Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 7:05 am
by EvolveWebHosting
Astra is another great option if you're willing to pay for a license. Going to suggest that everyone stays clear of Comodo.
Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 7:14 am
by straightlight
EvolveWebHosting wrote: ↑Sat Jan 09, 2021 7:05 am
Astra is another great option if you're willing to pay for a license. Going to suggest that everyone stays clear of Comodo.
They do seem to have pretty good ratings on Google, so far. However, their plans seem to be per-process pretty much instead of offering these plans by recurring packages.
Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 9:09 am
by Cue4cheap
johnp wrote: ↑Sat Jan 09, 2021 4:49 am
I wouldn't be without it Ernie. Download the free one and give it a try. It's very good.
I must be blind because I don't see a free version....
Mike
Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 9:40 am
by IP_CAM
I must be blind because I don't see a free version...
Same to me, I found that
czar_astra_oc1.5.xml on the OC Extension
Site, but that's good for nothing, as it looks ....

Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 6:50 pm
by johnp
Visit the page below. There's a download link at the bottom of the comparison table.
https://nintechnet.com/ninjafirewall/pro-edition
If anyone needs it I've got a zip file of the free one and can share if you PM me.
Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 7:07 pm
by EvolveWebHosting
straightlight wrote: ↑Sat Jan 09, 2021 7:14 am
EvolveWebHosting wrote: ↑Sat Jan 09, 2021 7:05 am
Astra is another great option if you're willing to pay for a license. Going to suggest that everyone stays clear of Comodo.
They do seem to have pretty good ratings on Google, so far. However, their plans seem to be per-process pretty much instead of offering these plans by recurring packages.
I am not sure what you mean by this. It's a monthly or annual license, per domain. Unlimited scans and cleanups. Our pricing is actually a little bit lower than you can get directly from them and anyone can purchase it through us, even if you aren't hosting your site with us.
Re: brute force attack on /admin
Posted: Sat Jan 09, 2021 7:59 pm
by johnp
On my OC sites I always use Cidram to block traffic from bad sources and Ninja Firewall to block SQL injections etc. Yes they're not officially supported by Opencart but they work for me and so far I've not had a site hacked or slowed down with them on. My clients aren't bothered about what I use. They just want their sites up and secure. Each to their own but that's my approach.

Re: brute force attack on /admin
Posted: Wed Jan 20, 2021 8:22 pm
by YDA
Hi,
Into one of my .htaccess I have this:
Code: Select all
<Files *>
<RequireAll>
Require all granted
# Cambodia (KH)
Require not ip 114.134.184.0/21
# Chinese (CN) IP addresses follow (split into two lines on 7/6/17 to avoid possible Server 500 due to excess line length):
Require not ip 1.24.0.0/13 1.48.0.0/15 1.50.0.0/16 1.56.0.0/13 1.68.0.0/14 1.80.0.0/13 1.92.0.0/14 1.180.0.0/14 1.188.0.0/14 1.192.0.0/13 1.202.0.0/15 1.204.0.0/14 14.16.0.0/12 14.104.0.0/13 14.112.0.0/12 14.134.0.0/15 14.144.0.0/12 14.204.0.0/15 14.208.0.0/12 23.80.54.0/24 23.104.141.0/24 23.105.14.0/24 23.226.208.0/24 27.8.0.0/13 27.16.0.0/12 27.36.0.0/14 27.40.0.0/13 27.50.128.0/17 27.54.192.0/18 27.106.128.0/18 27.115.0.0/17 27.148.0.0/14 27.152.0.0/13 27.184.0.0/13 27.192.0.0/11 27.224.0.0/14 36.1.0.0/16 36.4.0.0/14 36.26.0.0/16 36.32.0.0/14 36.36.0.0/16 36.40.0.0/13 36.48.0.0/15 36.56.0.0/13 36.96.0.0/11 36.128.0.0/11 36.248.0.0/14 39.64.0.0/11 39.96.0.0/13 39.128.0.0/10 42.4.0.0/14 42.48.0.0/13 42.56.0.0/14 42.84.0.0/14 42.88.0.0/13 42.96.128.0/17 42.100.0.0/14 42.120.0.0/14 42.156.0.0/16 42.176.0.0/13 42.185.0.0/16 42.202.0.0/15 42.224.0.0/12 42.240.0.0/16 42.242.0.0/15 42.248.0.0/15 43.226.64.0/20 43.255.0.0/20 43.255.16.0/22 43.255.48.0/22 43.255.60.0/22 43.255.64.0/20 43.255.96.0/20 43.255.144.0/22 43.255.168.0/22 43.255.176.0/22 43.255.184.0/22 43.255.192.0/22 43.255.200.0/21 43.255.208.0/21 43.255.224.0/21 43.255.232.0/22 43.255.244.0/22 47.74.0.0/15 47.76.0.0/14 47.80.0.0/13 47.88.0.0/14 47.92.0.0/14 49.5.0.0/16 49.64.0.0/11 49.112.0.0/13 54.222.0.0/15 58.16.0.0/14 58.20.0.0/16 58.21.0.0/16 58.22.0.0/15 58.34.0.0/16 58.37.0.0/16 58.38.0.0/16 58.40.0.0/16 58.42.0.0/16 58.44.0.0/14 58.48.0.0/13 58.56.0.0/14 58.60.0.0/14 58.68.128.0/17 58.82.0.0/15 58.100.0.0/15 58.116.0.0/14 58.128.0.0/13 58.208.0.0/12 58.240.0.0/13 58.248.0.0/13 59.32.0.0/12 59.48.0.0/14 59.52.0.0/14 59.56.0.0/13 59.72.0.0/16 59.108.0.0/15 59.172.0.0/14 60.0.0.0/12 60.11.0.0/16 60.12.0.0/14 60.16.0.0/13 60.24.0.0/13 60.160.0.0/11 60.194.0.0/15 60.205.0.0/16 60.208.0.0/12 60.253.128.0/17 61.4.64.0/20 61.4.80.0/22 61.4.176.0/20 61.48.0.0/13 61.128.0.0/10 61.135.0.0/16 61.136.0.0/18 61.139.0.0/16 61.145.73.208/28 61.147.0.0/16 61.150.0.0/16 61.152.0.0/16 61.154.0.0/16 61.158.0.0/16 61.160.0.0/16 61.162.0.0/15 61.164.0.0/16 61.172.0.0/15 61.175.0.0/16 61.177.0.0/16 61.179.0.0/16 61.183.0.0/16 61.184.0.0/16 61.185.219.232/29 61.187.0.0/16 61.188.0.0/16 61.232.0.0/14 61.236.0.0/15 61.240.0.0/14 94.191.0.0/17
Require not ip 101.16.0.0/12 101.37.0.0/16 101.64.0.0/13 101.72.0.0/14 101.76.0.0/15 101.80.0.0/12 101.132.0.0/15 101.200.0.0/15 101.224.0.0/13 101.248.0.0/15 101.254.0.0/16 103.211.164.0/22 103.253.4.0/22 106.4.0.0/14 106.8.0.0/15 106.12.0.0/14 106.16.0.0/12 106.32.0.0/12 106.43.0.0/16 106.56.0.0/13 106.74.0.0/15 106.80.0.0/12 106.108.0.0/14 106.112.0.0/13 106.120.0.0/13 110.6.0.0/15 110.16.0.0/14 110.51.0.0/16 110.52.0.0/15 110.80.0.0/13 110.88.0.0/14 110.96.0.0/11 110.152.0.0/14 110.156.0.0/15 110.166.0.0/15 110.173.0.0/19 110.173.32.0/20 110.173.64.0/18 110.176.0.0/14 110.184.0.0/13 110.192.0.0/11 110.228.0.0/14 110.240.0.0/12 111.0.0.0/10 111.72.0.0/13 111.85.0.0/16 111.112.0.0/15 111.120.0.0/14 111.124.0.0/16 111.126.0.0/15 111.128.0.0/11 111.160.0.0/13 111.172.0.0/14 111.176.0.0/13 111.192.0.0/12 111.224.0.0/14 111.228.0.0/14 112.0.0.0/10 112.64.0.0/14 112.73.0.0/16 112.74.0.0/16 112.80.0.0/12 112.98.0.0/15 112.100.0.0/14 112.109.128.0/17 112.111.0.0/16 112.112.0.0/14 112.116.0.0/15 112.122.0.0/15 112.192.0.0/14 112.224.0.0/11 113.0.0.0/13 113.8.0.0/15 113.12.0.0/14 113.16.0.0/15 113.18.0.0/16 113.54.0.0/15 113.56.0.0/15 113.58.0.0/16 113.59.0.0/17 113.62.0.0/15 113.64.0.0/10 113.120.0.0/13 113.128.0.0/15 113.132.0.0/14 113.136.0.0/13 113.194.0.0/15 113.200.0.0/15 113.204.0.0/14 113.218.0.0/15 113.220.0.0/14 113.224.0.0/12 113.240.0.0/13 113.248.0.0/14 114.28.0.0/16 114.54.0.0/15 114.64.0.0/14 114.80.0.0/12 114.96.0.0/13 114.104.0.0/14 114.112.0.0/14 114.135.0.0/16 114.138.0.0/15 114.215.0.0/16 114.216.0.0/13 114.224.0.0/11 115.24.0.0/15 115.28.0.0/15 115.32.0.0/14 115.48.0.0/12 115.84.0.0/18 115.100.0.0/14 115.148.0.0/14 115.152.0.0/15 115.159.0.0/16 115.166.64.0/19 115.168.0.0/14 115.192.0.0/11 115.224.0.0/12 116.1.0.0/16 116.2.0.0/15 116.4.0.0/14 116.8.0.0/14 116.16.0.0/12 116.52.0.0/14 116.56.0.0/15 116.60.0.0/14 116.76.0.0/15 116.85.0.0/16 116.90.80.0/20 116.95.0.0/16 116.112.0.0/14 116.116.0.0/15 116.128.0.0/10 116.204.0.0/15 116.207.0.0/16 116.208.0.0/14 116.213.64.0/18 116.213.128.0/17 116.224.0.0/12 116.248.0.0/15 116.252.0.0/15 116.254.128.0/18 117.8.0.0/13 117.21.0.0/16 117.22.0.0/15 117.24.0.0/13 117.32.0.0/13 117.40.0.0/14 117.44.0.0/15 117.50.0.0/16 117.51.0.0/16 117.57.0.0/16 117.60.0.0/14 117.64.0.0/13 117.79.224.0/20 117.80.0.0/12 117.106.0.0/15 117.112.0.0/13 117.128.0.0/10 118.24.0.0/15 118.26.0.0/16 118.72.0.0/13 118.80.0.0/15 118.89.0.0/16 118.112.0.0/13 118.120.0.0/14 118.124.0.0/15 118.132.0.0/14 118.144.0.0/14 118.180.0.0/14 118.186.0.0/15 118.192.0.0/15 118.194.0.0/16 118.213.0.0/16 118.244.0.0/16 118.248.0.0/13 119.0.0.0/13 119.8.0.0/16 119.10.0.0/17 119.18.192.0/20 119.23.0.0/16 119.28.0.0/15 119.32.0.0/14 119.36.0.0/16 119.39.0.0/16 119.44.0.0/16 119.48.0.0/13 119.57.0.0/16 119.60.0.0/15 119.62.0.0/16 119.84.0.0/14 119.88.0.0/14 119.96.0.0/13 119.108.0.0/15 119.112.0.0/13 119.120.0.0/13 119.128.0.0/12 119.144.0.0/14 119.162.0.0/15 119.164.0.0/14 119.176.0.0/12 119.233.0.0/16 119.248.0.0/14 120.0.0.0/12 120.24.0.0/14 120.30.0.0/15 120.32.0.0/13 120.40.0.0/14 120.68.0.0/14 120.76.0.0/14 120.80.0.0/13 120.92.0.0/16 120.192.0.0/10 121.0.16.0/20 121.4.0.0/15 121.8.0.0/13 121.16.0.0/12 121.32.0.0/14 121.40.0.0/14 121.52.208.0/20 121.52.224.0/19 121.56.0.0/15 121.60.0.0/14 121.68.0.0/14 121.76.0.0/15 121.100.128.0/17 121.196.0.0/14 121.201.0.0/16 121.204.0.0/14 121.224.0.0/12 122.4.0.0/14 122.8.0.0/16 122.10.128.0/17 122.51.128.0/17 122.64.0.0/11 122.96.0.0/15 122.119.0.0/16 122.136.0.0/13 122.156.0.0/14 122.188.0.0/14 122.192.0.0/14 122.198.0.0/16 122.200.64.0/18 122.224.0.0/12 122.240.0.0/13 123.4.0.0/14 123.8.0.0/13 123.52.0.0/14 123.56.0.0/14 123.64.0.0/11 123.97.128.0/17 123.100.0.0/19 123.112.0.0/12 123.128.0.0/13 123.138.0.0/15 123.144.0.0/14 123.148.0.0/15 123.150.0.0/15 123.152.0.0/13 123.160.0.0/14 123.164.0.0/14 123.172.0.0/15 123.178.0.0/15 123.180.0.0/14 123.184.0.0/13 123.196.0.0/15 123.206.0.0/15 123.232.0.0/14 123.244.0.0/14 123.249.0.0/16 124.42.0.0/16 124.64.0.0/15 124.66.0.0/17 124.67.0.0/16 124.72.0.0/13 124.88.0.0/15 124.92.0.0/14 124.112.0.0/15 124.114.0.0/15 124.117.0.0/16 124.118.0.0/15 124.126.0.0/15 124.128.0.0/13 124.152.0.0/16 124.160.0.0/13 124.192.0.0/15 124.200.0.0/13 124.224.0.0/16 124.226.0.0/15 124.228.0.0/14 124.234.0.0/15 124.236.0.0/14 124.240.0.0/17 124.240.128.0/18 124.248.0.0/17 125.32.0.0/14 125.36.0.0/14 125.40.0.0/13 125.64.0.0/12 125.79.0.0/16 125.80.0.0/13 125.88.0.0/13 125.104.0.0/13 125.112.0.0/12 125.210.0.0/15 125.216.0.0/13 132.232.0.0/16 134.175.0.0/16 139.129.0.0/16 139.170.0.0/16 139.189.0.0/16 139.199.0.0/16 139.206.0.0/16 139.208.0.0/13 139.217.0.0/16 139.224.0.0/16 139.226.0.0/15 140.143.0.0/16 140.206.0.0/15 140.224.0.0/16 140.237.0.0/16 140.240.0.0/16 140.246.0.0/16 140.249.0.0/16 140.255.0.0/16 142.4.117.0/30 144.0.0.0/16 144.12.0.0/16 144.52.0.0/16 144.123.0.0/16 144.255.0.0/16 150.109.0.0/16 150.138.0.0/15 150.242.152.0/21 150.242.160.0/21 150.242.168.0/22 153.0.0.0/16 153.99.0.0/16 159.226.0.0/16 162.209.168.0/24 171.8.0.0/13 171.34.0.0/15 171.36.0.0/14 171.40.0.0/13 171.80.0.0/14 171.88.0.0/13 171.104.0.0/13 171.112.0.0/14 171.116.0.0/14 171.120.0.0/13 171.208.0.0/12 175.0.0.0/12 175.16.0.0/13 175.24.0.0/14 175.30.0.0/15 175.42.0.0/15 175.44.0.0/16 175.46.0.0/15 175.48.0.0/12 175.64.0.0/11 175.102.0.0/16 175.106.128.0/17 175.146.0.0/15 175.148.0.0/14 175.152.0.0/14 175.160.0.0/12 175.178.0.0/16 175.184.128.0/18 175.185.0.0/16 175.186.0.0/15 175.188.0.0/14 180.76.0.0/16 180.95.128.0/17 180.96.0.0/11 180.136.0.0/13 180.152.0.0/13 180.160.0.0/12 180.208.0.0/15 180.212.0.0/15 182.18.0.0/17 182.32.0.0/12 182.50.112.0/20 182.61.0.0/16 182.84.0.0/14 182.88.0.0/14 182.96.0.0/12 182.112.0.0/12 182.128.0.0/12 182.144.0.0/13 182.200.0.0/13 182.240.0.0/13 183.0.0.0/10 183.64.0.0/13 183.92.0.0/14 183.128.0.0/11 183.160.0.0/12 183.184.0.0/13 183.192.0.0/10 192.34.109.224/28 198.2.203.64/28 198.2.212.160/28 198.15.171.64/26
Require not ip 202.43.144.0/22 202.46.32.0/19 202.65.96.0/20 202.66.0.0/16 202.75.208.0/20 202.96.0.0/12 202.111.160.0/19 202.112.0.0/14 202.117.0.0/16 202.127.112.0/20 202.165.176.0/20 202.196.80.0/20 203.69.0.0/16 203.81.16.0/20 203.86.0.0/18 203.86.64.0/19 203.93.0.0/16 203.169.160.0/19 203.171.224.0/20 203.195.160.0/23 210.5.0.0/19 210.12.0.0/16 210.14.128.0/19 210.21.0.0/16 210.22.0.0/16 210.32.0.0/14 210.51.0.0/16 210.52.0.0/15 210.75.0.0/16 210.77.0.0/16 210.79.64.0/18 210.192.96.0/19 211.76.96.0/20 211.78.208.0/20 211.80.0.0/13 211.86.144.0/20 211.90.0.0/15 211.92.0.0/14 211.96.0.0/13 211.136.0.0/13 211.144.0.0/12 211.160.0.0/13 211.233.70.0/24 212.64.0.0/17 218.0.0.0/11 218.56.0.0/13 218.64.0.0/11 218.84.0.0/14 218.88.0.0/13 218.96.0.0/14 218.102.0.0/16 218.104.0.0/14 218.108.0.0/15 218.194.80.0/20 218.200.0.0/13 218.240.0.0/13 218.249.0.0/16 219.128.0.0/11 219.154.0.0/15 219.223.192.0/18 219.232.0.0/16 219.234.80.0/20 219.235.0.0/16 219.238.0.0/15 220.112.0.0/16 220.154.0.0/15 220.160.0.0/11 220.181.0.0/16 220.191.0.0/16 220.192.0.0/12 220.228.70.0/24 220.242.0.0/15 220.248.0.0/14 220.250.0.0/19 220.252.0.0/16 221.0.0.0/12 221.122.0.0/15 221.130.0.0/15 221.136.0.0/15 221.172.0.0/14 221.176.0.0/13 221.192.0.0/14 221.196.0.0/15 221.198.0.0/16 221.199.0.0/17 221.200.0.0/14 221.204.0.0/15 221.206.0.0/16 221.207.0.0/16 221.208.0.0/12 221.212.0.0/15 221.214.0.0/15 221.216.0.0/13 221.224.0.0/13 221.228.0.0/14 221.232.0.0/13 222.32.0.0/11 222.64.0.0/12 222.80.0.0/12 222.128.0.0/14 222.132.0.0/14 222.136.0.0/13 222.160.0.0/14 222.168.0.0/13 222.172.222.0/24 222.176.0.0/13 222.184.0.0/13 222.200.0.0/16 222.208.0.0/13 222.216.0.0/14 222.220.0.0/15 222.222.0.0/15 222.240.0.0/13 222.249.0.0/16 223.4.0.0/14 223.8.0.0/13 223.64.0.0/11 223.96.0.0/12 223.112.0.0/14 223.144.0.0/12 223.198.0.0/15 223.214.0.0/15 223.223.176.0/20 223.223.192.0/20 223.255.0.0/17 223.240.0.0/13
# India (IN), Bangladesh (BD) and Pakistan (PK)
Require not ip 1.39.0.0/16 1.186.38.0/24 14.96.0.0/14 14.139.0.0/16 14.140.0.0/14 14.192.52.0/22 14.194.0.0/15 27.4.0.0/14 27.97.0.0/16 27.248.0.0/14 27.255.0.0/18 27.255.128.0/24 39.32.0.0/11 43.246.140.0/24 49.14.0.0/15 49.200.0.0/14 49.248.0.0/17 58.65.128.0/18 59.88.0.0/13 59.96.0.0/14 59.160.0.0/14 59.164.0.0/15 59.176.0.0/13 59.184.0.0/15 61.0.0.0/14 61.247.238.0/24 101.50.64.0/18 101.56.0.0/13 101.212.0.0/16 101.216.0.0/16 103.48.16.0/24 103.56.220.0/22 103.103.56.0/24 103.194.12.0/22 103.194.20.0/22 103.194.24.0/21 103.194.32.0/22 103.214.124.0/22 103.214.128.0/21 103.214.136.0/22 103.240.204.0/22 103.240.208.0/21 103.240.216.0/22 103.243.52.0/22 103.243.56.0/21 106.51.0.0/16 106.76.0.0/14 106.192.0.0/11 110.224.0.0/16 110.227.0.0/16 110.232.248.0/24 111.68.96.0/20 112.110.0.0/16 113.19.0.0/16 113.212.64.0/19 114.31.224.0/20 115.96.0.0/14 115.108.0.0/14 115.112.0.0/13 115.166.128.0/20 115.167.24.0/24 115.240.0.0/12 116.72.0.0/14 116.202.12.0/22 116.203.0.0/16 117.96.0.0/14 117.192.0.0/10 118.151.209.0/24 119.152.0.0/13 119.160.0.0/17 120.56.0.0/13 120.138.98.0/24 121.240.0.0/13 122.15.0.0/16 122.160.0.0/12 122.176.0.0/13 122.184.0.0/14 123.49.0.0/18 123.236.0.0/14 124.123.0.0/16 124.124.0.0/15 124.247.235.0/24 124.253.0.0/16 125.209.64.0/18 139.190.0.0/16 150.242.148.0/22 150.242.172.0/22 171.48.0.0/12 171.76.0.0/14 175.101.0.0/16 180.215.0.0/16 182.18.128.0/18 182.64.0.0/12 182.176.0.0/12 183.82.0.0/15 193.53.87.0/24 202.54.0.0/16 202.63.160.0/19 202.87.240.0/20 202.137.232.0/21 202.142.64.0/18 202.149.192.0/19 202.154.224.0/24 203.76.176.0/20 203.92.47.0/24 203.100.64.0/20 203.115.80.0/20 203.135.62.0/24 203.153.44.0/24 203.188.247.0/24 203.192.192.0/18 203.197.0.0/16 210.211.128.0/17 210.212.0.0/16 218.248.0.0/20 223.30.0.0/15 223.130.4.0/22 223.220.0.0/15 223.223.128.0/19 223.223.176.0/20 223.223.192.0/20 223.224.0.0/12
# Indonesia (ID)
Require not ip 23.247.80.0/23 36.64.0.0/11 49.50.4.0/22 49.50.8.0/22 103.87.16.0/24 103.253.0.0/22 110.136.176.0/20 110.139.0.0/16 111.95.0.0/16 112.109.19.0/24 114.57.238.0/23 114.79.18.0/24 115.166.96.0/19 116.12.40.0/21 116.66.200.0/21 116.254.96.0/21 118.96.0.0/15 118.99.64.0/18 118.137.96.0/19 119.18.152.0/21 119.110.68.0/24 119.235.16.0/20 119.252.162.0/24 120.160.0.0/11 122.200.144.0/21 124.6.36.0/22 124.81.0.0/16 124.195.124.0/24 125.160.0.0/14 125.164.64.0/19 125.165.128.0/18 139.192.0.0/14 139.255.0.0/16 175.184.232.0/21 180.241.128.0/17 180.242.0.0/16 180.245.0.0/16 180.246.0.0/16 180.248.128.0/18 180.249.0.0/16 180.251.0.0/18 182.253.0.0/16 202.57.0.0/19 202.158.32.0/19 202.162.192.0/20 202.162.208.0/24 203.130.192.0/18 203.215.48.0/24 222.124.168.0/24
# Japan (JP) (hacking, scraping, or spamming)
Require not ip 27.50.96.0/19 36.52.0.0/14 42.83.0.0/18 43.224.32.0/22 58.188.0.0/14 59.146.0.0/15 60.236.0.0/14 61.112.0.0/12 118.0.0.0/12 118.16.0.0/13 118.86.0.0/15 118.106.0.0/16 122.16.0.0/12 122.200.192.0/18 122.208.0.0/12 122.248.128.0/18 123.216.0.0/13 124.84.0.0/14 126.0.0.0/8 150.70.84.41 153.128.0.0/9 182.48.0.0/18 202.210.128.0/18 210.198.6.0/23 210.248.0.0/13 211.19.0.0/16 218.216.0.0/13 218.224.0.0/13 219.94.128.0/17 219.96.0.0/11 220.104.0.0/13 220.208.0.0/12 221.121.160.0/20 222.0.0.0/12 222.231.64.0/18 222.231.128.0/17 222.144.0.0/13 223.216.0.0/14
# Korea (KR) (including North Korea) IP addresses follow:
Require not ip 1.208.0.0/12 1.224.0.0/11 14.32.0.0/11 14.64.0.0/11 27.115.128.0/17 27.255.64.0/18 58.72.0.0/13 58.120.0.0/13 58.140.0.0/14 58.148.0.0/14 58.180.40.0/21 58.224.0.0/12 59.0.0.0/11 59.86.192.0/18 59.186.0.0/15 61.32.0.0/13 61.40.0.0/14 61.72.0.0/13 61.80.0.0/15 61.96.0.0/12 61.110.16.0/20 61.248.0.0/13 101.79.0.0/16 110.8.0.0/13 110.45.0.0/16 112.144.0.0/12 112.160.0.0/11 112.216.0.0/13 113.30.64.0/18 114.29.0.0/17 114.108.0.0/17 114.108.128.0/18 114.200.0.0/13 115.0.0.0/12 115.16.0.0/13 115.40.0.0/15 115.68.0.0/16 115.88.0.0/13 115.144.0.0/15 116.40.0.0/16 116.45.176.0/20 116.93.192.0/19 116.120.0.0/13 117.110.0.0/15 118.32.0.0/11 118.128.0.0/14 118.216.0.0/13 119.64.0.0/13 119.192.0.0/11 120.50.64.0/18 121.78.0.0/16 121.88.0.0/16 121.101.224.0/19 121.127.64.0/18 121.127.128.0/18 121.128.0.0/10 121.254.0.0/16 122.32.0.0/13 122.44.112.0/20 122.99.128.0/17 122.252.64.0/18 123.111.0.0/16 123.140.0.0/14 123.212.0.0/14 123.248.0.0/16 124.0.0.0/15 124.50.87.161 124.136.0.0/14 124.217.192.0/19 125.128.0.0/11 125.176.0.0/12 125.240.0.0/13 125.248.0.0/14 143.248.0.0/16 166.104.0.0/16 168.126.0.0/16 168.188.0.0/16 175.45.176.0/22 175.112.0.0/12 175.192.0.0/10 180.64.0.0/13 180.224.0.0/13 182.224.0.0/14 183.96.0.0/11 202.30.0.0/15 202.133.16.0/20 202.179.176.0/21 203.226.0.0/15 203.228.0.0/14 203.244.0.0/14 203.248.0.0/13 210.93.0.0/16 210.94.0.0/15 210.108.0.0/14 210.112.0.0/14 210.117.128.0/18 210.118.216.192/26 210.123.0.0/16 210.124.0.0/14 210.178.0.0/15 210.180.0.0/15 210.204.0.0/15 210.210.192.0/18 210.219.0.0/16 210.220.0.0/14 211.32.0.0/12 211.48.0.0/15 211.50.0.0/15 211.52.0.0/15 211.54.0.0/15 211.56.0.0/14 211.62.35.0/24 211.104.0.0/13 211.112.0.0/13 211.168.0.0/13 211.176.0.0/12 211.192.0.0/12 211.208.0.0/14 211.216.0.0/13 211.224.0.0/13 211.232.0.0/13 211.240.0.0/12 218.36.0.0/14 218.48.0.0/13 218.144.0.0/12 218.209.0.0/16 218.232.0.0/14 218.236.0.0/14 219.240.0.0/15 219.248.0.0/13 219.250.88.0/21 220.72.0.0/13 220.80.0.0/13 220.95.88.0/24 220.118.0.0/16 220.119.0.0/16 221.128.0.0/12 221.140.0.0/14 221.144.0.0/12 221.160.0.0/13 221.168.0.0/16 221.163.46.0/24 222.96.0.0/12 222.112.0.0/13 222.120.0.0/15 222.122.0.0/16 222.231.0.0/18 222.232.0.0/13
# Yahoo-Korea (provides free email services used by some spammers)
Require not ip 123.0.0.0/20
# Neighboring Asian countries:
# Malaysia (MY)
Require not ip 27.131.32.0/24 60.48.0.0/14 60.52.0.0/15 60.54.0.0/16 110.159.0.0/16 112.137.160.0/20 113.23.128.0/17 115.132.0.0/14 116.197.0.0/17 116.206.0.0/16 118.100.0.0/15 119.110.96.0/20 120.50.48.0/20 120.140.0.0/15 124.82.0.0/16 124.217.224.0/19 161.139.0.0/16 175.136.0.0/13 180.72.0.0/14 182.54.192.0/19 202.58.80.0/20 202.71.96.0/20 202.75.32.0/19 202.188.0.0/18 202.190.0.0/16 203.106.0.0/16 203.217.176.0/22 203.223.128.0/19 210.187.49.0/25 218.111.0.0/16 218.208.12.64/27
# Philippines (PH)
Require not ip 27.110.144.0/20 37.0.120.0/21 85.92.152.0/21 110.5.64.0/21 111.235.80.0/20 112.201.128.0/17 112.202.0.0/16 120.28.64.0/18 122.54.125.73 125.60.128.0/17 125.212.52.0/22 125.212.56.0/22 180.193.64.0/19 202.52.54.0/23 202.133.192.0/24 202.146.184.0/23 222.127.32.0/19 222.127.64.0/19
# Singapore (SG)
Require not ip 47.88.128.0/17 58.185.18.0/28 59.189.0.0/16 116.12.48.0/21 116.14.0.0/15 116.251.223.0/24 121.6.0.0/15 165.21.0.0/16 180.210.200.0/21 182.23.147.0/24 192.169.40.0/23 203.92.64.0/18 203.117.0.0/24 218.186.0.0/16 218.212.0.0/16 219.74.0.0/15 219.75.0.0/17
# Taiwan (TW)
Require not ip 1.160.0.0/12 1.200.0.0/16 36.224.0.0/12 59.112.0.0/12 60.198.0.0/15 60.249.0.0/16 60.250.0.0/15 61.31.0.0/16 61.56.0.0/16 61.58.0.0/15 61.63.0.0/16 61.67.128.0/17 61.216.0.0/14 61.220.0.0/14 61.224.0.0/14 61.228.0.0/14 110.24.0.0/13 110.50.128.0/18 111.240.0.0/12 112.213.48.0/20 114.24.0.0/14 114.32.0.0/12 115.80.0.0/14 115.85.144.0/20 117.19.0.0/16 118.160.0.0/13 122.116.0.0/15 122.118.0.0/16 122.120.0.0/13 122.254.0.0/18 123.51.128.0/17 123.240.0.0/15 124.8.0.0/14 125.224.0.0/13 140.109.0.0/16 140.110.0.0/15 140.112.0.0/12 140.128.0.0/13 140.136.0.0/15 140.138.0.0/16 163.13.0.0/16 163.14.0.0/15 163.16.0.0/12 163.24.0.0/16 163.32.0.0/16 175.96.0.0/14 175.180.0.0/14 203.64.0.0/14 203.71.0.0/16 203.72.0.0/16 210.59.0.0/16 210.200.0.0/15 210.240.0.0/16 211.20.0.0/15 211.23.0.0/16 211.72.0.0/16 211.75.0.0/16 211.76.160.0/20 211.79.32.0/20 211.23.0.0/16 218.160.0.0/12 219.84.0.0/15 219.90.3.0/24 220.128.0.0/12
# Thailand (TH)
Require not ip 1.20.0.0/16 1.46.0.0/15 1.179.128.0/18 14.207.0.0/16 49.0.64.0/18 49.230.0.0/16 58.8.0.0/16 58.9.0.0/16 58.10.0.0/16 58.137.0.0/16 61.19.0.0/16 61.47.0.0/17 110.34.128.0/17 110.168.0.0/16 113.53.0.0/17 114.131.0.0/16 115.87.128.0/17 117.47.0.0/16 118.172.0.0/14 119.59.96.0/19 119.76.0.0/16 122.154.0.0/15 123.242.128.0/18 124.120.0.0/16 124.121.0.0/16 124.122.0.0/16 125.25.0.0/19 171.97.128.0/17 202.28.0.0/15 202.44.135.0/24 202.133.128.0/18 202.142.192.0/19 202.143.128.0/18 203.107.142.0/24 203.113.0.0/17 203.130.149.0/24 203.144.128.0/17 203.146.0.0/16 203.148.128.0/17 203.149.0.0/18 203.150.128.0/17 203.151.38.0/24 203.155.0.0/16 203.158.96.0/19 203.158.128.0/17 203.170.193.0/24 203.172.128.0/17 203.185.128.0/19 210.213.0.0/18 222.123.0.0/16 223.205.0.0/16 223.207.0.0/16
# Vietnam (VN)
Require not ip 1.52.0.0/14 14.160.0.0/11 14.224.0.0/11 27.64.0.0/12 42.112.0.0/13 58.186.0.0/15 64.188.12.0/23 64.188.25.128/26 67.215.225.128/26 103.48.188.0/22 103.48.192.0/22 103.79.140.0/22 103.207.32.0/21 112.78.0.0/20 112.197.0.0/16 112.213.80.0/20 113.22.0.0/16 113.23.0.0/17 113.160.0.0/11 115.72.0.0/13 115.84.176.0/22 115.146.120.0/21 116.96.0.0/12 116.118.0.0/17 117.0.0.0/13 118.68.0.0/14 118.99.13.0/24 123.16.0.0/12 125.234.0.0/15 171.224.0.0/11 175.100.64.0/20 180.93.0.0/16 183.80.0.0/16 183.81.0.0/17 183.91.0.0/19 202.78.227.0/24 203.113.128.0/18 203.162.0.0/16 203.205.0.0/18 203.210.192.0/18 210.211.96.0/19 210.245.0.0/17 220.231.124.0/22 222.252.0.0/14
# End Chinese-Korean blocklist
</RequireAll>
</Files>
And you may also want to be protected with bad bots, in this case copy and paste this:
If you need a complete .htaccess, do ask me, I will be very happy to send it by email
Have a nice day
Yan
Re: brute force attack on /admin
Posted: Wed Mar 03, 2021 1:17 pm
by TechFost
You can use Fail2Ban to block all IP addresses that repeatedly making attempts to log in to your opencart site. Once you set up fail2ban, you just have to check the logs to make sure that fail2ban is working as per your expectation.
Re: brute force attack on /admin
Posted: Mon Oct 25, 2021 7:50 am
by satriani2019
Did you find a solution?
renaming admin folder, adding keys to login admin etc are useless
hostking wrote: ↑Fri Jan 08, 2021 4:17 pm
We have a strange issue. Hoping someone has a modsecurity rule or something to stop this on our shared hosting servers. We already implemented a Captcha on the site on the login page but does not seem to stop this.
We tried three different modsecurity ruleset, OWASP , Comodo and even Atomic (PAID) and none seem to stop this attack on /admin folder.
I assume we may have to use some reg expression but my knowledge is not so good at that.
Unless someone can recommend a technique or way to stop this accross multiple websites on a server?
180.252.180.250 - - [08/Jan/2021:10:15:43 +0200] "POST /admin/ HTTP/1.1" 406 455 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
122.173.51.255 - - [08/Jan/2021:10:15:46 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
106.201.153.52 - - [08/Jan/2021:10:15:46 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
82.213.229.161 - - [08/Jan/2021:10:15:49 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Re: brute force attack on /admin
Posted: Mon Oct 25, 2021 5:30 pm
by JNeuhoff
See
this forum thread for a solution.
It's both a brute force and DDoS attack combined. It will inflate your 'oc_session' DB table and therefore cause your OpenCart server to eventually reach its resource limit. And each of these attacking requests uses a different user and password combination, randomly generated, in the hope that after weeks or months of attacking your website it will come across the right login credentials.
Re: brute force attack on /admin
Posted: Mon Oct 25, 2021 7:40 pm
by k2tec
Don't make your .htaccess to big with restrictions, it's slows down your apache.
If you run a VPS or a server, place CSF and Modsecurity on it. And configure this to your own wishes.