5

During the last week, our company website has been under a weird brute-force, this attack actually led to hacking an admin account.

Our website is a wordpress site. The attacker keeps performing POST requests (non-stop 24 hours a day) on the wp-login page (wordpress authentication page). It's not fast though, it's 4 requests each minute and each new 4 requests are made using a different IP and different User agent.

I have installed some security tools and set up rules so that each 3 wrong tries will have the user blocked by the firewall, and made the users password hard to guess.

Is this enough for this kind of attack or is there anything else i should do ?

Badr
  • 51
  • 2
  • 2
    If an attack like that lead to an admin password, in my opinion the used password was poorly chosen. For attacks like this, is why a strong password policy is required. One extra thing you might want to consider is Geo Blocking.In other words block "hostile countries" your company does not do business with anyway. – Jeroen Apr 19 '18 at 10:40
  • 5
    have you considered allowing only certain IPs to access the admin page? white list > blacklist – TheHidden Apr 19 '18 at 10:42
  • 1
    @Jeroen-ITNerdbox indeed, since we had several admins some of them maybe were using a weak password. – Badr Apr 19 '18 at 10:46
  • 1
    @TheHidden You're right, this should be considered too. Thank you. – Badr Apr 19 '18 at 10:46
  • 1
    Take a look at [this](https://security.stackexchange.com/questions/6095/xkcd-936-short-complex-password-or-long-dictionary-passphrase) too – DIDIx13 Apr 19 '18 at 11:56
  • Another thing you could do is in line with what @TheHidden suggested: only allow access to private IP addresses and set up an internal VPN server so you can administer it either locally or remotely. – they Apr 19 '18 at 13:50
  • If you are having issues with weak passwords, you could implement certificate authentication for OpenVPN. – they Apr 19 '18 at 13:57

2 Answers2

4

There are a few things, options, settings etc; that you could set in order to improve application and underlying server hardening. Here are my recommendations on what I believe to be a good balance between easy implementation and effectiveness.

Limiting Connections

The biggest instant impact, that may not cause too much difficult to configure depending on the specific option you go for, would be to limit who can connect to the application.

Black listing is certainly an option but as you have described the attacker is constantly changing IP addresses. I would recommend you do not do this.

A white list would be a better suggestion and allowing only certain IPs to access the application. This would stop the attack in its tracks.

You could combine this with a VPN, this would mean those working from home (with most likely dynamic IPs) could easily connect to the application without having to get someone to give them access.

Secure Passwords

If this slow attack has in anyway resulted in an account being breached, you really need to question your password policy. There are many many references on this site giving password advice, I will not go in depth here.

If your password is worth its salt (haha) this attack shouldn't phase you.

Change the default username

If you can, change the default username from admin, you will throw a lot of people. I mean, first user I always try is admin.

Do Not!

  • Do not disable the account after X tries, you are just asking for a DoS.
  • Do not (or at least avoid) blacklist so many IP addresses, they are probably popular VPN services, which many people use a lot.
TheHidden
  • 4,265
  • 3
  • 21
  • 40
1

You have done two good things already:

  • Enforced good passwords
  • Rate limit on username

But there are more things you can do:

  • Change the URL of the login page, and the default username. Granted, this is security through obscurity, but it can work against lazy attackers.
  • Limit what IP:s can login. You could have a whitelist if you know from where you will access the backend. Or you could block certain countries based on geolocation.
  • Use a CAPTCHA. Sure, they can be bypassed, but it adds more work for the attacker.
  • If blocking accounts after they are targeted starts resulting in problems login in, you can let users bypass the block by clicking a link sent to their email.
  • Use two factor authentication.

Some of these are easy to implement, others are harder. Some limits usability quite a lot (e.g. IP whitelist) and are only feasible if you have a small group of users. None is a silver bullet that will solve the problem forever.

Anders
  • 64,406
  • 24
  • 178
  • 215