The Ruskies are coming?

When setting up the WordPress software on which this blog runs, I wanted it to be secure, who wouldn’t. I mean nothing can be guaranteed as being 100% secure, but we can certainly do our best to address known weaknesses and harden the installation of WordPress and the underlying web server.

One of many things I did to enhance security was to setup fail2ban on the server. Fail2ban basically can be setup to log failed login attempts to the WordPress admin page if you expose it publicly. If someone is trying to brute force attack your password, and is repeatedly failing because the password isn’t the name of your cat, your mothers maiden name, or your birthday, then it bans their arse. It automatically happens in the background effectively blocking their access to your site for a predetermined time period after a given number of failed attempts.

The guide I followed suggested a 2 hour block or ban after 3 failed attempts at logging in. This sounded reasonable I thought. I initially set it up like this, and kept an eye on both the number and frequency of IP’s attempting to login. Turns out lots of people want into my sites admin page, and I can only assume they probably aren’t interested in what interesting and varied ideas for posts that I have coming up!

Some IP’s would hammer away for hours waiting out the 2 hour ban just to get 3 more attempts. I’d point out that using a randomly generated password of a sufficiently long nature means the chances of guessing the password are probably so minuscule that you’d have more chance of winning the lottery (statistics was never my strong point at University). But guessing 20 odd random characters seems like its up there.

So after seeing the sheer numbers of IP’s trying to gain access to my inner thoughts, I changed it to a 24 hour ban after one failed attempt and kept an eye on it.

This dramatically cut down the number of attempts in any 24 hour period. Maybe getting 4-5 isolated IP’s having a crack at their chance of glory before moving on to easier pickings.

In the last few days of tinkering and keeping an eye on things in the background, I noticed hundreds of IP’s appearing in the logs as being banned. The next day several more hundred again attempted their one chance at glory, many of them repeat offenders.

So who wants my info this badly? I set out to see where these IP’s were from. I mean its no guarantee in this day and age of VPN’s, proxies and so forth that the country of origin is really where this IP is based. But its a good starting point.

I put a few through wolfram, turns out its probably the Russians or Canada based on my unscientific query of a few random IP’s from my list. So I broke out python with the following script to see the country of origin of some of the IP’s.

from ip2geotools.databases.noncommercial import DbIpCity

#small subset of all IP's
ip_list =[
'93.91.113.114',
'94.124.194.20',
'94.159.43.106',
'94.198.216.23',
'94.228.207.145',
'94.228.207.169',
'94.233.241.117',
'94.25.168.83',
'94.25.170.137',
'94.25.170.146',
'94.28.202.97',
'94.74.67.23',
'94.79.7.3',
'94.79.7.7',
'95.107.71.223',
'95.154.73.138',
'95.174.104.62',
'95.174.124.169',
'95.179.14.189',
'95.179.51.76',
'95.28.102.50',
'95.53.247.0',
'95.56.198.130',
'95.57.218.103',
'95.58.160.6',
'95.79.117.218',
'95.79.205.211',
]

for ip in ip_list:
    try:
        response = DbIpCity.get(ip, api_key='free')
        print(response.ip_address + ', ' + response.country)
    except:
        print(ip + ' didn\'t work')
        pass

Turns out its predominantly the Russians, out of ~260 IP’s that had been doing the rounds, 184 were coming back as being Russian, and a good number from other ex Soviet states.

As you can see below for the limited number of IP’s noted above, the Russians are leading by a large margin, with a few Ukrainian and Kazakhstan IP’s, pretty much confirming the Canadians are off the hook confirming my suspicions that they are probably more into Moose than Sheep…

I think that Russians may have a national sheep fetish or something and perhaps they misunderstand the purpose of this blog. I guess they have to do something with their time between elections, who can blame them its cold over there by all accounts.

93.91.113.114 RU
94.124.194.20 RU
94.159.43.106 RU
94.198.216.23 RU
94.228.207.145 RU
94.228.207.169 RU
94.233.241.117 RU
94.25.168.83 RU
94.25.170.137 RU
94.25.170.146 RU
94.28.202.97 RU
94.74.67.23 UA
94.79.7.3 RU
94.79.7.7 RU
95.107.71.223 RU
95.154.73.138 RU
95.174.104.62 RU
95.174.124.169 RU
95.179.14.189 RU
95.179.51.76 RU
95.28.102.50 RU
95.53.247.0 RU
95.56.198.130 KZ
95.57.218.103 KZ
95.58.160.6 KZ
95.79.117.218 RU
95.79.205.211 RU

Now after a few days of this occurring I was getting bored, even if they were not. So I bought down my bigger ban hammer and added all the IP’s I’d collected to a blocklist in my pfSense router using the excellent package pfBlocker. Uploaded the blocklist to Github, so I can get pfSense to fetch it from there making it easy as updating the file on my computer or the web and committing changes to add any further IP’s. No need to even log onto the router and manually update lists.

This drops all the bad IP traffic at the router, slamming the door shut with no response, so my WordPress server sees none of it effectively.

In the time I wrote this article along, 26 attempted logins. They keep attempting to hit the jackpot and trying their luck again. This is days after I implemented the IP blocklist in pfSense. So we’ll see how long they keep it up if they are getting no response back:-

You can download the IP list here if you want to, or simply add it to your own blocklist in pfSense/pfBlocker using a link to the raw formatted list off Github:-

Прощай, мои русские овцы, любящие друзей

Leave a Reply