Login attack with NO user name

Use this in .htaccess to block all access from that IP:

<limit GET POST PUT>
Order Allow,Deny

Deny from 154.100.109.37

Allow from all
</limit>

Add more IPs as needed on their own lines

Use this https://www.ipaddressguide.com/cidr#range to calculate a CDR range to block all IPs in the 154.100.109.xxx range.

And/or block whole country IP ranges: https://incredibill.me/htaccess-block-country-ips

Thanks, good thought, I was thinking that too but the attacks are coming from all over the world – 100 to 600 ip’s in the last hour alone – no way to keep up – is there a way to reverse that and use it as a whitelist? Hmmm – doubt it…

Sure, Deny from all and Allow from xxx.xxx.xxx.xxx

Sounds like you need to talk to your host.

Thanks again songdogtech. Do you really think this is a host issue? I mean – what can they do if its coming in from worldwide?

Wont denying all prevent any all all forms from working for any user – not just the login? Have a look around at the site at issue… https://www.preachin.org

what can they do if its coming in from worldwide?

It could be a DDOS atack on the whole webhost.

If you only want to protect wp-login.php, use

<Files wp-login.php>
order deny,allow
Allow from all
Deny from 154.100.109.37
Allow from all
</Files>

it’s not on the whole webhost. ??

I’m seeing exactly the same traffic on one of my sites, but the other sites on the same server (and same IP address) are not being hit. The only difference is that I’m getting over 1,500 block notices a day. But, I do have my sites to block any unknown username on the first attempt.

From the user agents and the spread of IP addresses (each one is different) it seems like the site is being hit by hacked ADSL routers.

The only thing that you can do is talk to your host and see if there’s anything that they can do at the firewall level, which is hard as it’s all through different IP addresses. Apart from that you can let it happen, as the hackers will eventually leave when they can’t get into the site after how ever long. It’s not the best solution, but at this point there’s not much better.

Thanks catacaustic – that is the conclusion i kind of came to as well but what i want to know is what the hell is the point of a login attack with no login name? Its not intense enough to shut the site down. I mean what is the end result? The point? It just seems to create alert emails? Or a distraction for another attack?

Looking for lax security. Think of it as probing the site to see if they can break in somehow. There are some sites out there that will allow that sort of thing. No tmany, but some. That’s what they are looking for. They’re probably also probing for known vunerabilities, but still won’t be too much as it won’t as they can only fit so much in the hacks that they spread.

They been probing the ‘ ‘ login for 24 hour now and aint getting in that way. Which begs the question is there some way to get in if you DONT use a user name? And if there is – How many times do you have to try it before you are convinced its not gonna work?

Which begs the question is there some way to get in if you DONT use a user name?

In some insecure systems, yes. But out of the box WordPress won’t allow it, and when you add in security plugins (like WordFence) it blocks it all. Some themes/plugins do have the ability to allow this. it’s all about how much the authors have cared about security.

How many times do you have to try it before you are convinced its not gonna work?

Just because it’s no username all the time doesn’t mean that everything else is the same. I haven’t looked at the POST values that they are sending along, but I’d say that they are trying various differnt things to gain some sort of access.

And in th eend, they are doing it from someone elses hardware and internet connection, so how long it takes is irrelevanet as they’re not paying for it anyway, so they’ll let it go for as long as it can just in case it finds something in a few days/weeks.

what i want to know is what the hell is the point of a login attack with no login name?

You’re assuming hackers are competent. In my experience, a good percentage of their scripts are horribly broken. (All software starts off broken; it just gets fixed in testing. But hackers have poor testing processes.)

The hacker is probably sitting in his basement thinking “My script has sent 10,000 different username and password combinations already; it’s going to guess the right one any moment now….”

OK. So now another site on another server is being hit with empty login requests – Does anyone really know what the point of these attacks are? The only thing i can come up with is DOS because considering they are not using a login name, how could trying multiple passwords possibly help them get in? grrr.

Ok. Sorted. I have had wordfence installed for a while and been tweaking settings and such to hopefully lock my assailants out to no avail. And then i remembered – I am an idiot. Dunno how i could have forgot that… Anyways – i look at the preset levels of security and there is a “HIGHEST LEVEL – site under attack. Lock Down site at the expense of inconveniencing some users”.

Lo and behold – no more alerts, no more locking out users forever or checking ip rages to lock out. Boop. done.

Thanks for the help ya’ll!

Hello, tonight I am having the exact same attack.

I have Wordfence set up to block any IP that tries logging in 10 times, and in only 5 hours I got email notifications of around 1.700 blocked IPs. All of them with no login name.

Did you guys just stop receiving these attacks after some time? Or is it still going, but Wordfence stopping them??

Thanks

rubjm9 – forget trying to tweak the wordfence – that is what i did – instead use the wordfence preconfigured security levels – change the security lebel to “Level 4: Lockdown. Protect the site against an attack in progress at the cost of inconveniencing some users” and it will shut them down and stop peppering you with alerts…

See attached image if you cant find the option I mean…

Lebel 4 selected screen grab