failed logins

  • Resolved mezoology

    (@mezoology)


    5 years ago

    Hello,
    I got this log yesterday. says failed logins but those are not my active times, those usually happened while my sleep, so it is definitely not me.
    https://imgur.com/a/1xuiktR
    those failed logins happened from alst of countries USA, UK, France, Singapore, Russia and more
    used also a real username of mine (not ‘admin’) and yes it has admin rights.
    once I click RUN WHOIS. most of them are the same

    NetName: CLOUDFLARENET
NetHandle: NET-172-64-0-0-1
Parent: NET172 (NET-172-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS13335
Organization: Cloudflare, Inc. (CLOUD14)
RegDate: 2015-02-25
Updated: 2017-02-17
Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref: https://rdap.arin.net/registry/ip/172.64.0.0

    Should I be worried ?

    please need some help.

    Thanks in Advance.

Viewing 6 replies - 1 through 6 (of 6 total)
  • WFGerroald

    (@wfgerald)

    Hey @mezoology,

    Thanks for reaching out. I know how alarming it can be to see these attacks, but it’s actually pretty normal. There’s only so much we can do to prevent an attack, it’s more about making sure they aren’t successful, which it looks like they haven’t been.

    I would suggest using Two-Factor and Strong Passwords. With these measures in place, I wouldn’t worry at all about login attempts. Usually, in these types of attacks, they’ll move on after being unsuccessful for an X amount of time.

    Please let me know if you have any other questions.

    Thanks,

    Gerroald

    Thread Starter mezoology

    (@mezoology)

    Greeting Gerroald,

    Thank you for replying, and yes I have a couple more questions.
    1- How come the attacks coming from Cloudflare?
    2- How did they manage to get a’correct’ admin username?

    best regards

    WFGerroald

    (@wfgerald)

    Hey @mezoology,

    1) They’ve likely piggy-backed legitimate IPs which happen to be Cloudflare. There is some information on how these types of attacks occur in the article below.

    2) It’s hard to say how they got the username. A plugin or your theme could be linking to it. As a rule of thumb, I consider usernames insecure by default. There are many ways to obtain them. I focus on making sure I have really strong passwords and use two-factor as the basis on my login security.

    Thanks,

    Gerroald

    Thread Starter mezoology

    (@mezoology)

    Thank you for answering Gerroald, I really appreciated it.
    yea I just activated 2FA and hoping for the best, btw you forgot to link the article.

    have a good day

    WFGerroald

    (@wfgerald)

    Hey @mezoology,

    Whoops, I sure did forget to add the article.

    https://www.wordfence.com/blog/2017/11/should-permantly-block-ips/

    Although this is primarily about whether or not you should block IPs you see being used in attacks, it mentions that these attackers use many legitimate IPs.

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

    Thread Starter mezoology

    (@mezoology)

    thank you Gerroald

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘failed logins’ is closed to new replies.