Front office brute-force protection

[telnett]

Hello,

 

I can see bots trying to bruteforce (very slowly) the front office login form:

91.200.12.95 - - [25/Nov/2014:03:22:47 +0200] "POST /login HTTP/1.0" 200 51541 "http://XXXXXXXXXX/login?back=my-account" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
91.200.12.95 - - [25/Nov/2014:04:43:24 +0200] "POST /login HTTP/1.0" 200 51471 "http://XXXXXXXXXX/login?back=my-account" "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"
91.200.12.95 - - [25/Nov/2014:05:13:35 +0200] "POST /login HTTP/1.0" 200 51473 "http://XXXXXXXXXX/login?back=my-account" "Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.17"
91.200.12.95 - - [25/Nov/2014:09:30:12 +0200] "POST /login HTTP/1.0" 200 51605 "http://XXXXXXXXXX/login?back=my-account" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 YaBrowser/14.7.1916.15705 Safari/537.36"
91.200.12.95 - - [25/Nov/2014:11:39:24 +0200] "POST /login HTTP/1.0" 200 51581 "http://XXXXXXXXXX/login?back=my-account" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 OPR/23.0.1522.77"

It's a bot for sure because I know my clients and thats not one of them. Also, you should notice the user agent rotation on the log excerpt.

 

Do you have simmilar activity on your apache logs?

 

Do we have any cure for that?

[telnett]

Anyone else cares about safety? No? Ok....

[El Patron]

  On 11/26/2014 at 3:35 PM, telnett said:

Anyone else cares about safety? No? Ok....

 

that's not very helpful...let's keep it positive.

 

you can ban IP from hosting?

 

if not there are modules that will allow you to ban by IP...

[telnett]

Yes, It's my own private server so I can ban the IP but it is useless to chase them since it's nearly never the same IP twice.

 

 

I'm trying to come up with a method to detect such bots automatically. Looks like they are not loading any images. They only have very few interactions:

 

Index page -> POST something to login form? -> gone

 

No image requests recorded. Looks like one way to distinguish them.

[El Patron]

in your screen shot it show all the same ip address...

 

probably best to find a some captcha module free or paid...

 

to bad we can't take one of the people behind these bots, and put them on chain gang and clean our highways.

[Eolia]

Or a hidden field named "email2" that must be leave blank.

Bots are stupids and fill all inputs.

 

So you verify if this field is empty, if not it's a bot and go! redirect to his IP 

[telnett]

Thank you for your input on this.

 

The thing is, that I don't think that their goal is to login as user.

 

What I believe they are doing is trying out some nasty exploit. That is what these bots usually do. It might be some remote file inclusion or mysql query execution and that is what scares me most.

[4saleusa]

I got the same problem everyday, anybody found any solution ?