• Last night, Wordfence blocked a “single IP” brute force attack.
    The bot continued relentlessly over 3000 times targetting the same “banned url”. (a non existing login url)
    My server logs clearly shows a 503 response each time.

    Should I expect a “high server load” during this attack since the 503 errors are constantly being served?

    On this account, I seem to be tracking high cpu usage/server loads and I am trying to determine if the issue is partly or in whole, based on this and similar attacks.

    https://www.ads-software.com/plugins/wordfence/

Viewing 15 replies - 16 through 30 (of 30 total)
  • Thread Starter themadproducer

    (@themadproducer)

    @scottkr24
    WF>Options>ALERTS…Maximum email alerts to send per hour
    Choose a number like 1 so if you have 10 events that happen in an hour, instead of getting 10 separate emails, you will get only 1 email with all 10 events and maximum of 1 email per hour.

    You can’t stop a BOT from TRYING.
    You can only stop it from succeeding. (Limiting or Blocking it)
    That’s one of the issues we are whining about in this very thread.

    The only way I know of removing the burden from your OWN server, is to have a 3rd party involved like Cloud Fare which acts as a middle man and apparently intercepts bot attacks and such. But I have never used the service. Or if your hosting service has a security measure of their own in place which could alleviate the taxing put onto your server’s cpu.

    Found it just before I got your reply. I set it to 5 and if its still annoying I’ll set it to 1.

    Anyway I just sent my Admin guy your reply to see if he can do anything to protect my server that he looks after or I’ll contact the hosting company.

    Thanks.

    pingram

    (@pingram3541)

    Yes I’ve used that with a digital ocean droplet I had but it’s something that does require direct server access to install and use. Most cpanel accounts don’t have access to installing that or lack of ssh access with permissions. We want to get back to being web designers and developers not server administrators but it is a great tool for those of us forced into that arena I’m just still a little bitter I’ve had to go there =)

    The exact same thing has been happening to me. My CPU usage shot up to over 50% as a result (my hosting company wants me to keep my usage below 2%). I submitted a support ticket with Wordfence with more specific questions regarding settings, etc., but it’s been 24 hours and I haven’t heard back. Would it be better to post those details here (in a new thread)?

    Thread Starter themadproducer

    (@themadproducer)

    Was the 50% figure a daily average or a PEAK SPIKE? Reason I ask, is that a spike or a short term burst shouldn’t be an issue as the daily average cpu usage could still be under 2%…according to cPanel.

    When you say “same thing has been happening to you”…have you been under brute force attacks? What do your WF and/or cPanel logs show?

    The 50% was at the peak yesterday (October 16). Once I blocked login attempts from every country outside of North America, the attempts to log in moved to cities in the U.S. like Orlando and Chicago. I ended up blocking one of their IP address in my .htaccess file, and that immediately helped. The average for the day ended up dropping to 29.81% for the day, from a peak at around 54%.

    My concern with using .htaccess or Wordfence to completely block an IP address’ access to the site (rather than to just the login page) is that it could then prevent other legitimate people using the same Internet Service Provider from visiting my site.

    Here’s a summary of my daily stats. The spike on October 11 prompted me to tighten some of my Wordfence settings. (I can repost these details and more in a new thread if it’s better to not hijack someone else’s post.)

    Stats for 17 Oct 2015:
    ———————————
    CPU Usage – %3.78
    MEM Usage – %0.03
    Number of MySQL procs (average) – 0.14

    Stats for 16 Oct 2015:
    ———————————
    CPU Usage – %29.81
    MEM Usage – %0.21
    Number of MySQL procs (average) – 1.06

    Stats for 15 Oct 2015:
    ———————————
    CPU Usage – %35.19
    MEM Usage – %0.25
    Number of MySQL procs (average) – 1.23

    Stats for 14 Oct 2015:
    ———————————
    CPU Usage – %2.01
    MEM Usage – %0.03
    Number of MySQL procs (average) – 0.07

    Stats for 13 Oct 2015:
    ———————————
    CPU Usage – %2.06
    MEM Usage – %0.02
    Number of MySQL procs (average) – 0.07

    Stats for 12 Oct 2015:
    ———————————
    CPU Usage – %1.94
    MEM Usage – %0.03
    Number of MySQL procs (average) – 0.05

    Stats for 11 Oct 2015:
    ———————————
    CPU Usage – %10.92
    MEM Usage – %0.08
    Number of MySQL procs (average) – 0.43

    I should add that on the days that the CPU usage shot up, the top processes for each day were all for the WordPress login page.

    Thread Starter themadproducer

    (@themadproducer)

    Are you the only one that is supposed to be logging in?
    If yes, then you may want to try what I did in htaccess and place a whitelist for wp-login.php that only includes your IP. It’s been incredibly effective since I did this. This way, your not blocking anyone from visiting your site, server load is greatly reduced and all login attempts are denied. Then WF can take care of the rest.

    My IP is dynamic so it will change every so often….maybe last even 6 months or so before I get a new one.

    lightsoutdave

    (@lightsoutdave)

    In a load balanced network with multiple web nodes, modifying the htaccess can be unpredictable since you may write the rule to the htaccess only on node1 and then it may not exist when node3 tries to remove it.

    If you need to block at the server level, it might be more effective for WordFence to log the attacks somewhere and and use something like fail2ban to monitor those logs and block IP addresses at the server firewall (iptables) level based on similar rules to your WordFence settings. That way fail2ban handles the actual add/removal of the IP block rather than WordFence.

    Plugin Author WFMattR

    (@wfmattr)

    @lightsoutdave: Thanks for the input. This may be an option in a future version, though people who have shared hosting won’t be able to take advantage of it unless their host is willing to coordinate on it. It definitely could be a more effective way to block access by IP, when the option is available.

    -Matt R

    sjc

    (@stevielovegun)

    I know this thread has been quiet for a while. I’m wondering if you have come any further with ideas for a solution that moves beyond the resource-heavy 503 blocks for these large-scale attacks Mark or WFMattR?

    Cheers

    Here’s what I did as I’m running all nginx servers:
    1) I still use WordFence but the constant notifications drove me nuts
    2) Setup free CloudFlare DNS, dropped block notifications by a large margin
    3) Setup JetPack’s Protect feature, no more block notifications and I tested a failed attempt personally and did get notified by WF so it appears to be working pretty well (I had wondered if it truly was working or just hijacking WF)

    Thread Starter themadproducer

    (@themadproducer)

    Since this discussion was initiated and addressed, I have not heard of any new implementations. (or did I miss something?) This heavy resource usage due to botnet attacks is serious and I am surprised there is not more focus on this matter.

    To this day, I use an IP whitelist in htaccess for admin access and it is truly a solid workaround. During 2 months of testing on 6 websites, it reduced resource usage down to a very minimum. I appreciate and need WordFence as a secondary layer of defense.

    The only major hassles are:
    1) My IP address sometimes changes and I have to manually FTP to update the HTaccess files for every WP site that I manage.

    2) It is not a good solution for those WP that are co-managed my the client.

    Plugin Author WFMattR

    (@wfmattr)

    Thanks for checking in. All changes and features are prioritized by a number of factors. Performance during attacks is definitely an important issue. The related features and performance improvements for high-volume attacks are slated for a future release, but I don’t have a date for it yet.

    -Matt R

Viewing 15 replies - 16 through 30 (of 30 total)
  • The topic ‘3000 High CPU Brute Force Attack Single Blocked IP 503’ is closed to new replies.