8

I am not an information security professional as such. I am a self-taught web developer so I hope this question is not too basic.

I have set up a web store via WordPress using WooCommerce and because of this, I have also set up some security (iThemes Security) to monitor login attempts etc. iThemes Security has highlighted a few attempts over the last 2 months which have been thwarted due to either strong passwords or the fact that "admin" is banned as a username.

Running whois searches on the RIPE whois database, the IP addresses of the "attackers" came up with FOP Tokarchuk Oleksandr Stepanovich in Ukraine (abuse@fregat.net) and World Hosting Farm LTD in Ireland (abuse@worldhostingfarm.com).

FOP Tokarchuk Oleksandr Stepanovich in Ukraine
There were 11 brute-force attempts 2 months ago (invalid logins) and 3 brute force attempts today trying to use "admin" as username

World Hosting Farm LTD in Ireland
There were 6 brute-force attempts 3 weeks ago.

The store is not live yet as the stock database is being built at the moment so no information on customers would have been in jeopardy. Each attempt has resulted in 2 hour lockouts for the relevant IP addresses, and emails were sent to me from the website telling me that they were locked out. I have then converted their lockouts to full bans so theoretically no more attempts can be made through those IP addresses. Hopefully I am right on this.

What I am wondering is whether I should contact the relevant responsible organisations via the abuse@ email addresses?

If so, should I send a full copy of the logs relevant to the attempts or snippets of the logs relevant to the IP address and the times of the attempts?

Qsigma
  • 107
  • 3
Chris Rogers
  • 275
  • 3
  • 10
  • 10
    My guess is that you are talking about fully automated attack attempts. This kind of unwanted traffic is unfortunately normal today and you'll will see more of this in the future and maybe there was already more (and different) of it already but you did not notice. Given that it seems that no harm was done (i.e. somebody only knocking on the door and moving on, not somebody breaking the door) I don't think that reporting this to someone will actually help. The best thing you could probably do is to harden your system and keep it up-to-date so that attacking you is too hard. – Steffen Ullrich Jun 29 '18 at 16:51
  • Related: https://serverfault.com/questions/244614/is-it-normal-to-get-hundreds-of-break-in-attempts-per-day – John V. Jun 30 '18 at 07:18

1 Answers1

17

Don't lose your time pursuing those guys or litigating. Unless you have how to prove that you had a sizable financial loss, and you can prove the user controlling the computer that uses IP, you can not even start a litigation.

You can send a mail to abuse@, but don't hold your breath. You are putting an ISP against its client, and the ISP will defend its own client, unless you have a very strong case against the user. And even so, probably the ISP will not move a finger unless you litigate. And if you are not in Ukraine or Ireland, don't think their courts will help you.

On the other hand, blocking the IP for a couple hours will help immensely. Pairing fail2ban with iptables, and blocking any IP trying to access the admin area, or hitting too much HTTP 404 errors will protect you from most automated scans.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142