15
3
The messages are directed toward the WordPress site on my server. These are coming from the access_log, and I don't know if this should worry me or not.
There are well over a hundred lines of the same message spanning over a few seconds each time. If you don't know what I mean, here are the logs:
108.162.216.73 - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:49 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:50 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:51 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:52 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:53 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
103.22.200.207 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
108.162.216.73 - - [22/Oct/2014:21:54:54 -0400] "POST /wp-login.php HTTP/1.1" 200 3467 "-" "-"
I just did a count for all instances for these two IP addresses, and it was accessed at least over 100,000 different times, since the 22nd.
I attempted to setup fail2ban but it then made it impossible to access my server. Was able to use safe reboot, but wasn't able to remove it or anything. I googled my issue, and I found that others that were on Centos 7 were having the same problem. Luckily for me, I had nothing on the server so I just reinstalled the OS which took a few min. – travis – 2014-10-26T19:56:31.207
2Ah, that's unfortunate. I haven't had issues with it on my CentOS server. Normally it shouldn't interfere so much. – slhck – 2014-10-26T19:58:43.500
Another thing worth considering is PeerGuardian. – paradroid – 2014-10-27T01:49:48.727
2@travis That's something to be expected when you have password based SSH logins.. You should consider using SSH keys for authentication and disabling the SSH password based login entirely, and it's probably also a good idea to change the default SSH port on your server – Winter – 2014-10-27T03:34:15.600
@Winter +1 for the first part, but changing the SSH port won't really help. It just delays, but if someone really wants to enter the server, it is no real burden. – glglgl – 2014-10-27T07:45:59.880
1@glglgl It's a deterrent. It stops someone from going "I wonder if this is insecure..." - won't stop a directed attack, but will stop a casual hacker. "Somewhere else is easier." – None – 2014-10-27T16:09:37.397