Brute force originating from amazonaws.com

  • Resolved aaron1728

    (@aaron1728)


    7 years ago

    Getting a ton of
    “Message: User authentication failed: admin”
    from IP addresses with amazonaws.com reverse IP addresses, e.g.:
    ec2-52-14-170-233.us-east-2.compute.amazonaws.com
    ec2-18-219-233-69.us-east-2.compute.amazonaws.com
    ec2-52-202-196-140.compute-1.amazonaws.com
    ec2-52-87-181-93.compute-1.amazonaws.com

    Is there any good reason NOT to block access to the login page to anyone with an amazonaws.com IP address?

    I don’t have an admin account with the name “admin” so someone is clearly just guessing.

Viewing 5 replies - 1 through 5 (of 5 total)
  • yorman

    (@yorman)

    Is there any good reason NOT to block access to the login page to anyone with an amazonaws.com IP address?

    People using a VPN hosted at AWS could have problems accessing your website.

    I would check the access logs and count how many hits does your website have from the AWS network (before the attack started) and then decide if blocking that IP range is fine or not. There are also 3rd-party services, like web crawlers, that are hosted there. They may not be able to index your website if you block the entire IP list.

    I don’t have an admin account with the name “admin” so someone is clearly just guessing

    That is understandable. We used to have an option to allow the administrator to block any login attempt using an account that doesn’t exists. The option may still be available in the “Last Logins” page, but it has already been removed from our development repository and — if not released yet — will be gone in the next update of the code.

    Thread Starter aaron1728

    (@aaron1728)

    Other than the major search engines, why would I want a 3rd party service to crawl my site? If they are using amazonaws.com to obscure their origin, I don’t want them. In fact, I’m not sure I need access by anyone who needs to obscure their origin via VPN.

    In general, I already block every country outside the Anglosphere (English-speaking nations, with 3 or 4 exceptions) because they rarely have legitimate cause to visit my sites. I could block entire continents and not fear losing anything. For instance, why would a Los Angeles pizzeria need visitor traffic from Estonia or Colombia or Rwanda?

    Not all traffic is good or desirable.

    yorman

    (@yorman)

    why would a Los Angeles pizzeria need visitor traffic from […]

    Fair enough, I guess blocking those addresses is fine in this specific case.

    Let me know if I can help with anything else.

    Thread Starter aaron1728

    (@aaron1728)

    So is there a way to block traffic from amazonaws.com?

    yorman

    (@yorman)

    Unfortunately, the plugin doesn’t offers any option or tool to allow you to block HTTP requests coming from a specific source. This features are already implemented in our firewall (which is a paid service), to avoid duplication of code we have opted to leave these features out of the plugin.

    However, you can use Fail2Ban — https://www.fail2ban.org/

    Or a WordPress Firewall plugin (there are some free options out there).

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Brute force originating from amazonaws.com’ is closed to new replies.