Difference in server load

  • Resolved Okoth1

    (@okoth1)


    9 years, 5 months ago

    Hi,

    Just got a brute force attack which lasted 5.5 hours. Didn’t get in of course, waste of time.

    I’m using now this in my htaccess which caught all the wp-login.php requests before your plugin did.

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^loginpage$ /wp-login.php?hfju7hdjto0jf6hd3[CO=accesss:666:mydomain.com,R,L]
RewriteCond %{QUERY_STRING} !^hfju7hdjto0jf6hd3
RewriteCond %{QUERY_STRING} !^action=logout
#RewriteCond %{QUERY_STRING} !^action=rp
#RewriteCond %{QUERY_STRING} !^action=register
#RewriteCond %{QUERY_STRING} !^action=postpass
RewriteCond %{QUERY_STRING} !^step=upgrade_db
RewriteCond %{HTTP_COOKIE} !^.*accesss=666.*$
RewriteRule ^wp-login.php$ https://127.0.0.1/ [L,R=301]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

    So they were all sent to 127.0.0.1 because I renamed the login page as well. Then I was thinking what gives the least server load, the above code or this one?

    <Files wp-login.php>
Order Deny,Allow
Deny from All
Allow from x.x.x.x
</Files>

    I actually want to make it in such a way that the requests will end up in the plugin’s firewall log (so the requests are caught by NF) but I’ll get an email that a brute force attack is going on and maybe also adding the last block of code to the htaccess and remove it automatically after 3 hours or so.

    But if there is no difference in server load I could keep the redirect to 127.0.0.1 as well. Still I like to idea to get an email when things are going on (which I am going to add anyway ;))

    https://www.ads-software.com/plugins/ninjafirewall/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    Most bots will not follow the 127.0.0.1 redirection. They will check the HTTP code status and, if it matches what they are expecting, they will parse the HTML content of the page or its headers (cookies etc).

    If that is your server, you can enable the ‘Write incident to the server AUTH log’ in the ‘NinjaFirewall > Login Protection’ menu and setup a cronjob to parse your auth.log and to send you an email.

    Thread Starter Okoth1

    (@okoth1)

    Hi,

    Thank you for the explanation. But when I see a 301 the bot that I had earlier today was redirected, right?

    Unfortunately this is not my server, but I’ll experiment some more.

    Plugin Author nintechnet

    (@nintechnet)

    The server returned a 301 HTTP status code + the link to the redirection, but that does not mean the bot followed the redirection.

    Thread Starter Okoth1

    (@okoth1)

    Thanks, learnt something new today.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Difference in server load’ is closed to new replies.