blocking IP but not blocking at all

  • Resolved jancas

    (@jancas)


    9 years, 11 months ago

    Hello,
    Today I was happy to see Wordfence was protecting one of my sites. I recieved 4 emails, the first at 1:46 am and the last one at 4:52 am. Wordfence informed me that he was blocking one IP and the reason was: “Exceeded the maximum number of page not found errors per minute for humans.”.

    However, to verify this I checked the server logs and I was surprised to see that the supposed blocked IP had been continually hitting a non existing page (wp-login) from 1:45 am to 5:25 am without any stop for each second, so my guess is wordfence didn′t block it at all despite saying so.

    What could be causing this?
    Thanks.

    https://www.ads-software.com/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)

  • Can you post the error message?

    (blackout anything sensitive, of course)

    thanks

    tim

    Thread Starter jancas

    (@jancas)

    Hi Tim,

    These are taken from the affected site access log:

    – – [12/Dec/2014:03:03:52 +0000] “POST /wp-login.php HTTP/1.0” 503 2337 “-” “-“

    – – [12/Dec/2014:03:18:58 +0000] “POST /wp-login.php HTTP/1.0” 404 19222 “-” “-“

    As I mentioned before the log was filled with theses lines, one per second in the referred time interval. Most were 503 error.

    Please note I am using the plugin Rename wp-login.php

    Question is, why wasn`t the IP blocked?

    Thanks.

    503 is the error code we send back when we block or throttle something. So it looks like we are actually blocking there. I assume the 404’s are first time hits? We can’t affect how the hacker gets his DNS. We just reject when it gets to your server, so error logs will show them.

    Does that help?

    tim

    Thread Starter jancas

    (@jancas)

    OK, thank you for the fast reply on this.

    I just thought wf would block the IP just like fail2ban and then would prevent the hacker from consuming resources on server.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘blocking IP but not blocking at all’ is closed to new replies.