Attacks showing no user-agent

  • We run well over 100 WP sites on a dedicated server. We have tried every plugin from iThemes to Wordfence plus Cloudflare, moving login pages and double logins using .htaccess and ssh scripts to the root file .wpadmin to mitigate. Nothing seems to work on a particular issue.

    I run a series of ssh commands every morning to see what is being attacked. Sometimes there are only 50 to 1000 against a few sites. Often there are 10’s of thousands against 1 or 2 sites on the server. None of the above mentioned techniques or plugins stop it. All come from 1 or 2 IP’s so we can easily block those but it is time consuming.

    I recently logged into the cpanel and pulled up latest visitors so I could refresh and see if any of the techniques or plugins work and they do not. The attacks continue till I manually block the IP address. I also noticed the cpanel log for latest visitors does not show a user-agent. Does this mean they are using something other than a browser to hit that page? We even use a non standard port number for ssh (if that is they way they are trying to hit us) but that would require they hacked our server password which changes a lot.

    If WordPress could come up with something like CPHULKE for WHM’s it would be great. That seems to work without any issues. We set the number of times an IP or Account can be attempted and it blocks them based on number of times or IP for the time period we set which is 6 months. That way you cover both kinds of brute force attacks and they can’t come back often.

    Does anybody have an idea about how to stop something that does not have a user-agent? I tried a couple .htaccess codes but they did not stop it.

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi Lubyg did you enable any of the Brute Force features? Did you also enable the Enable Pingback Protection: feature under Basic Firewall Rules?

    Thread Starter Lubyg

    (@paontheweb)

    Yep, I sure did. Tried the deprecated Brute Protect that will become part of Jetpack soon, tried iThemes Brute Protect, Firewalls, and disabled pingbacks and trackbacks completely.

    Even the double login feature does not stop them. You set that up by creating a .wpadmin file in the root so it is not in public. Here is how to do it. Note: replace your usernames and feel free to change after the : in pickausername and use your actual username for the website you want to protect.
    Create root file .wpadmin and put in the following
    pickausername:n5MfEorOIQkKz
    Run SSH Command below
    htpasswd -c /home/webusername/.wpadmin pickausername
    Add the following to your .htaccess
    ErrorDocument 401 “Unauthorized Access”
    ErrorDocument 403 “Forbidden”
    <FilesMatch “wp-login.php”>
    AuthName “Authorized Only”
    AuthType Basic
    AuthUserFile /home/webusername/.wpadmin
    require valid-user
    </FilesMatch>

    Now when you try to login you will get a double login but the first one will be a pop up.

    To see what is happening across your WHM server SSH the following:
    ssh root@YourServer IP -p YourPortNumber

    Enter your password. Note: MAC Terminal will not show it. Just paste it in and hit enter.

    Next paste in this code and change the date. You may also need to replace your quotes manually by using your back arrow keys.

    grep “POST /wp-login.php” /home/*/access-logs/* | grep “1/Jan/2015” |cut -d/ -f5|cut -d: -f1|sort|uniq -c|sort -n|tail

    That will bring up all the wp-login.php post attempts with the domain name.

    Next use this to see the IP’s if you don’t want to bother going to your cpanel logs.

    grep “POST /wp-login.php” /home/*/access-logs/* | grep “1/Jan/2015” |awk ‘{print $1}’|cut -d: -f2|sort|uniq -c|sort -n|tail

    Again, replace your date and quotes manually

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi Lubyg that looks very interesting and very secure.

    I am sure many will try your solution of course this is only for those that manage their own server. If you are on a shared account then you would not be able to implement your great security feature.

    I will keep this in mind.

    Once again thank you for sharing.

    Kind regards

    Thread Starter Lubyg

    (@paontheweb)

    Hmm, when I said Root I should have said Home (if using cpanel). As long as you have SSH you can do this. There is another way without SSH. Anyway, I found a better set of instructions with two options and you don’t need a dedicated server. See this link https://support.hostgator.com/articles/specialized-help/technical/wordpress/wordpress-login-brute-force-attack

    Of course, there is always Managed WordPress hosting that takes the worry out of security. I like this one as it appears to be the cheapest compared to WP Engine. DreamHost and others. https://hosting.wewhoserved.net/hosting/wordpress.aspx?ci=43232&prog_id=501494

    I used their easy to use Migrate tool for WordPress and it worked perfectly. The only reason I don’t move all my WordPress sites to something like this is the cost. We do have a dedicated server with over 150 WordPress sites running now and it would be time consuming to do them all. I still think we need something like CPHULKE in the WHM for WordPress.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Attacks showing no user-agent’ is closed to new replies.