What does it mean when you suddenly start getting tons of different Strongbox warning notices? We maybe get 6 a day. But right now we're getting new ones everytime I refresh my email.
The warnings are for different usernames and password combinations.
HELP!
It means someone is trying to access your members area without a working username/password probably using a bruteforce attack.
Regards,
Lee
All the warnings are for different IP adresses and usernames. So it doesn't look like it is small group of individuals.
It could be 1 person using thousands of proxysOriginally Posted by Xstr8guy
Regards,
Lee
And a lot of different countries... but many from China.It could be 1 person using thousands of proxys
Regards,
Lee
The attack stopped after a legitmate user/pass was used from Slovakia. That member has NEVER logged in until today according to Strongbox and he lives in the UK.
How would they actually guess a correct user/pass?
sounds like someone going thru a list of 'known good' userid/password combinations, members have a habit of reusing userid/passwords from site to site and once one gets known it gets added to a list and then the hitbotting via proxies starts.
I would keep an eye on that one that got thru!
That's some scary stuff. You have to look over shoulder (and sometimes under desks) every day
Prescript: The last paragraph of this post is important reading for any adult webmaster,
using Strongbox or not.
There are two main types of notices you may receive. One type will mention an
apparent brute force attack in the email. Those indicate that indeed someone
is probably trying a brute force attack, or to be more technically correct a dictionary
attack. That's really nothing to worry about most of the time. In the rare case
where the attacker is able to put enough load on the server to make it noticeably
slower or the attack goes on for more than a couple of hours you may want to take
some action. If the attack is not noticeably slowing the server or going on for days,
just smile and be glad that Strongbox is protecting you.
If some action IS needed, look at the Strongbox reports, checking to see if just a few IPs
are responsible for most of the attack. If so, those few IPs can be directly blocked via
.htaccess or better yet via your firewall. On the other hand if the attempts are fairly
evenly spread over thousands of IPs, we have some addon scripts you can use to
help Strongbox more efficiently handle such a huge attack by automatically adding IPs
to .htaccess or preferably to your firewall in an efficient manner.
On the other hand, there is another type of email that warns you of compromised
passwords. If you get many of these with different user names that means many of
your passwords are compromised. Most likely, the attacker has found some security
hole in some PHP script you use and used it to download your whole password file.
Because your password file is using decades old encryption that can be easily cracked,
the attacker then decrypts all of your passwords and posts them on password sites.
This can be a real headache. If this has NOT happened to you yet, imagine what it
would be like if it did and consider upgrading your processor's password management
script to our improved version with strong encryption. More information on how to prevent
that and what to do if it has already happened is available on our site:
http://bettercgi.com/strongbox/passgen/
http://bettercgi.com/strongbox/passg...adyhacked.html
I forgot to mention I also concur with Luke's assesment. If the emails indicated a brute
force attack and then just as it stopped you see a suspicious log in I would take a very
close look at that member. How long have they been a member, according to your
processor? Does the name, email adress, etc. LOOK suspicious? If they look to be OK,
I might send myself an email or whatever to remind myself to check the Strongbox reports
a few days later for any suspicious activity under that user name.
I deleted the user that managed to get in. An hour or two later the attack started again but quit after about another hour. So I think he just finally gave up. But overall, we have recently been receiving more warnings than usual. I guess maybe that's because our site has become more popular.
Or because you have been removing your content off the blogs that steal it.
I noticed after i started sending DMCA notices out to various places, rapidshare, blogspot, myspace, etc that the amount of StrongBox notifications we got increased for a couple of days.
Im wondering if that could be what you've seen happening too.
Regards,
Lee
Can someone tell me why I NEVER get email warnings? Even though my admin stats indicate login attempts by bad passwords/users? Is there a way to enable this feature?
I just bought SB last week so just trying to figure it out.
Thanks
Allan
By default Strongbox will email you if a user name or IP is suspended or disabled for
abuse, or under certain error conditions where soemthing on the server is broken.
It will NOT by default email you every time someone mistypes their user name or
password. That happens a lot, so most webmasters don't want to be emailed 100
times a day because someone made a typo. You CAN set it to email you for
incorrect user names, incorrect passwords, or 23 other conditons.
See this page for how:
http://bettercgi.com/cgi-bin/wiki/wi...ication_Emails
Ray, how can you change the email address where SB sends the notices?
Posting Permissions
Reply With Quote
Bookmarks