Post by khnaz35 » Sun Jan 29, 2023 1:02 am

But you are not sending the attack back. These people should learn for what are they doing with their own method.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by JNeuhoff » Sun Jan 29, 2023 1:30 am

khnaz35 wrote:
Sun Jan 29, 2023 1:02 am
But you are not sending the attack back. These people should learn for what are they doing with their own method.
Have been using this for a few hours:

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/?$ http://%{REMOTE_ADDR}/ [R=301,L]
Sends back a multitude of different pages and network failures back to the compromised servers used by the attacker, and I assume these compromised servers will pass on the results (often pages with 200 status code) to the attacker himself for evaluation. Or at least it will pass on the user/password guesses (which are actually invalid anyway, though the attacker doesn't know it).

It has already decreased the number of requests to our server from this attacker by 70 percent. IMHO this can be a better strategy then merely responding with 403-results. We'll see. The goal is to make him give up, realizing he's just wasting his bandwidth and compromised servers.

Will compare this with another strategy which returns standard 404 responses later on, to see which works better.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by OSWorX » Sun Jan 29, 2023 4:04 pm

The "main" problem of such "attacks" is, that mostly they come from infected websites those script kiddies have taken over or placed some scripts which sending requests automatically.
Means no real person stands behind.

While the idea of sending back to the original address (which I am using since years with success) is smart, finally not many will notice that.

Maybe I am wrong .. ?

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by khnaz35 » Sun Jan 29, 2023 7:57 pm

Since i am using Cloudflare firewall I can see most of the attacks comes from US, Spain, China, & Ru IPs https://prnt.sc/RpfO0qJ8ICBA.
And noticed that user agent is always same with empty Post string

Code: Select all

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
https://prnt.sc/q_nZg7Iyb7Br

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by Bulletpolish » Tue Jan 31, 2023 6:26 pm

Many thanks Juergen Neuhoff for your help with my fake accounts & contact emails all coming from Spambots & mainly Russian Federation IP addresses. My system, Opencart 3.0.2.0 & my emails are now free from all this junk. Spambot works a treat since you installed it properly and you removed the Bruteforce DDos file.
Many thanks,
James
Bullet Polish Europe Ltd

Newbie

Posts

Joined
Sat Jan 23, 2016 7:57 pm

Post by JNeuhoff » Tue Jan 31, 2023 7:56 pm

Just to be clear: This particular bruteforce attack, as described on this forum thread, has the sole purpose of guessing the user/password of the admin. Spambots are different, their purpose usually is to send spam mails via the Contact page, or to do fake account registrations.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by johnp » Wed Feb 01, 2023 1:12 am

Try sticking Cidram on. It blocks traffic from known bad sources. You can set it to return a 500 error for stubborn attacks.

https://github.com/CIDRAM/CIDRAM

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by haydent » Wed Apr 19, 2023 6:34 am

does this block password guessing on the admin login ? looking at the code it doesnt seem to ?

User avatar
Active Member

Posts

Joined
Wed Nov 09, 2011 9:50 am
Location - Sydney, Australia

Post by johnp » Wed Apr 19, 2023 7:46 am

haydent wrote:
Wed Apr 19, 2023 6:34 am
does this block password guessing on the admin login ? looking at the code it doesnt seem to ?
It doesn't. Use Ninja Firewall for that:

https://nintechnet.com/ninjafirewall/pro-edition

I use both Ninja Firewall and Cidram on my Opencart sites. It's also worth adding an extension to protect the admin folder.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by haydent » Wed Apr 19, 2023 10:23 am

so i really dont get why its called brute force.. its only ddos protection.

User avatar
Active Member

Posts

Joined
Wed Nov 09, 2011 9:50 am
Location - Sydney, Australia

Post by haydent » Wed Apr 19, 2023 10:28 am

i looked at ninja but its all paid from what i can see, i think the simplest and cheapest might be a fail2ban jail, (assuming you have control over that) found one in first google result https://zuma-design.com/opencart-fail2ban-jail

User avatar
Active Member

Posts

Joined
Wed Nov 09, 2011 9:50 am
Location - Sydney, Australia

Post by johnp » Wed Apr 19, 2023 4:37 pm

haydent wrote:
Wed Apr 19, 2023 10:28 am
i looked at ninja but its all paid from what i can see, i think the simplest and cheapest might be a fail2ban jail, (assuming you have control over that) found one in first google result https://zuma-design.com/opencart-fail2ban-jail
They do a free version.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by alber99 » Wed Mar 13, 2024 2:48 am

JNeuhoff wrote:
Sun Jan 29, 2023 1:30 am
khnaz35 wrote:
Sun Jan 29, 2023 1:02 am
But you are not sending the attack back. These people should learn for what are they doing with their own method.
Have been using this for a few hours:

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/?$ http://%{REMOTE_ADDR}/ [R=301,L]
Sends back a multitude of different pages and network failures back to the compromised servers used by the attacker, and I assume these compromised servers will pass on the results (often pages with 200 status code) to the attacker himself for evaluation. Or at least it will pass on the user/password guesses (which are actually invalid anyway, though the attacker doesn't know it).

It has already decreased the number of requests to our server from this attacker by 70 percent. IMHO this can be a better strategy then merely responding with 403-results. We'll see. The goal is to make him give up, realizing he's just wasting his bandwidth and compromised servers.

Will compare this with another strategy which returns standard 404 responses later on, to see which works better.
@JNeuhoff
So in the end, which strategy works best?

New member

Posts

Joined
Sun Apr 08, 2012 9:14 am
Who is online

Users browsing this forum: No registered users and 5 guests