All of you assholes need to stop trying to break into my site

in the website


Ralph Smith (@DoMyBooks) put out a tweet this morning about attempted logins on his WordPress site. My curiosity was piqued, because last week I wrote a two-thousand word article about parsing Apache log files. I used my own log file as the template for the article, and one thing that stood out were the high numbers of WordPress login attempts. There have been one million attempts since November 2014. Separate to this, in the same period I have extrapolated at least fifty thousand SSH login attempts (after fail2ban).

So let’s look at logs. For lay users: the commands I use are grep, awk and wc:

  • grep searches a text file or input stream for a given string, and outputs its entire line if found.
  • awk parses output. For example, print $1,$2,$3 prints the first three columns of input, each separated by a space.
  • wc -l is a line count of whatever input you give it. Input can be either a text file, or a raw stream generated by other commands.

access.log

A web server is a piece of software that runs on a server. When you request a file from a server, the web server software finds the file and sends it to you. access.log is the Apache web server log file. It logs every single request for a resource on a domain-every picture or page or file requested. First, here are the age and size of the file:

user@caira log $ awk '{print $4,$5}' < <(head -n 1 access.log)
[03/Nov/2014:14:38:26 +0000]
user@caira log $ wc -l < access.log && du -hs access.log
2404608
424M    access.log

The first entry in the file is on November 3, 2014, and the file has 2,404,608 lines as of July 14 2014. The only thing hosted on the domain bhalash.com is this WordPress blog, so I search the log file for attempts to access the login and registration pages:

user@caira log $ wc -l < <(grep -e 'wp-login\|regist' access.log)
940057

That’s 940,057 login attempt as of this blog post. A raw login attempt looks like this:

198.154.231.202 - - [08/Nov/2014:04:09:01 +0000] "POST /wp-login.php HTTP/1.0" 200 4025 "-" "-"
198.154.231.202 - - [08/Nov/2014:04:09:02 +0000] "POST /wp-login.php HTTP/1.0" 200 4025 "-" "-"
198.154.231.202 - - [08/Nov/2014:04:09:02 +0000] "POST /wp-login.php HTTP/1.0" 200 4025 "-" "-"
198.154.231.202 - - [08/Nov/2014:04:09:02 +0000] "POST /wp-login.php HTTP/1.0" 200 4025 "-" "-"
198.154.231.202 - - [08/Nov/2014:04:09:02 +0000] "POST /wp-login.php HTTP/1.0" 200 4025 "-" "-"

auth.log

Secure shell is a client/server software service that provides secure, encrypted control of a remote computer through a text environment. auth.log is the log file that records login attempts (and actions as a logged in user) over SSH. Again, I first find the line size, and the date of the oldest command. I have to parse several archived files together because the auth.log file is pruned and compressed on an aggressive schedule:

root@caira log $ zcat auth.log.4.gz | head -n 1 | awk '{ print $1,$2,$3 }'
Jun 14 06:42:23
root@caira log $ wc -l < <({zcat auth*gz & cat auth.log{,.1}})
74706

The combined log files have 74,706 entries since June 14, 2015. Again, I look for invalid login attempts, which I present alongside raw entries:

root@caira log $ wc -l < <({zcat auth*gz & cat auth.log{,.1}} | grep 'Invalid user')
6692
Jul 14 09:57:29 caira sshd[25195]: reverse mapping checking getaddrinfo for 161.232.226.109.ip.orionnet.ru [109.226.232.161] failed - POSSIBLE BREAK-IN ATTEMPT!
Jul 14 09:57:29 caira sshd[25195]: Invalid user tester from 109.226.232.161
Jul 14 09:57:29 caira sshd[25195]: input_userauth_request: invalid user tester [preauth]
Jul 14 09:57:30 caira sshd[25195]: Received disconnect from 109.226.232.161: 11: ok [preauth]
Jul 14 09:59:07 caira sshd[27950]: Invalid user info from 134.213.153.155
Jul 14 09:59:07 caira sshd[27950]: input_userauth_request: invalid user info [preauth]
Jul 14 09:59:07 caira sshd[27950]: Received disconnect from 134.213.153.155: 11: Bye Bye [preauth]

That’s 6,692 failed login attempts over SSH since June 14, 2015, with 52,457 extrapolated attempts since November 2014. Here is how I extrapolated the higher number of login attempts:

  • There are 243 days between November 14, 2014 and July 14, 2015.
  • There are 31 days between June 14, 2015 and July 14, 2015.
  • I assume the number of average attempts per month has been constant over the period since November 2014.
  • 243 / 31 = 7.83870968
  • 6692 * 7.83870968 = 52456.6451786 = 52,457


Wat een (Bergachtig) Dag!

in ireland


Your email address will not be published. Required fields are marked *