“It was a cold and windy night, but the breeze of ill omen blowing across the ‘net was colder. The regular trickle of login attempts suddenly became a torrent of IP addresses, all trying to break into the back-end of the Joomla site I host. I poured another cup of joe, it was gonna be a long night.”
Tech noir aside, there was something odd going on. I get an email from that web-site each time there is a failed login. The occasional login attempt isn’t surprising, but this was multiple attempts per minute, all from different IP addresses. Looking at the logs, I got the feeling they were pulling usernames and passwords from one of the various database dumps, probably also randomly seeding information from the Whois database on my domain.
Speaking of which, “Whois” is a useful tool for finding information about a domain name or IP address. It’s a digital directory containing the company responsible for the IP or domain, and contact information. I selected a few of the attacking IP addresses and ran the look-up. These IPs were from Digital Ocean, (a virtual server hosting company), Google cloud services, an ISP in Thailand, etc. Many of addresses seem to belong to servers. Pulling up a few of the IPs in a web browser seemed to confirm that it was primarily Linux machines. The only plausible explanation is that this web site had fallen into the sites of a botnet running on compromised Linux servers.
Botnets have two general operating modes. The most obvious mode is when they attack a site or service to knock it offline. This is usually a Denial of Service (DoS) attack, intended to exhaust bandwidth or other computer resources. There are companies like Cloudflare, who are built around the goal of thwarting such attacks. The other operating mode is that of spreading — infecting more computers. Many botnets are viral in nature, using the existing botnet to try to compromise other machines. I believe this is what I was seeing.
So how to get out of the cross-hairs and avoid my box being cracked? First, if you wait till you’re getting attacked to think about security, it’s already too late. Some basic hygiene goes a long way– keep your OS up to date, Keep Joomla/WordPress/etc up to date, and keep any plugins or extensions updated as well. Hardly a week goes by before the next vulnerability is found, and running old software makes your server low hanging fruit.
Disabling the default “admin” account makes a huge difference. Running through a public password list against the admin account can be done pretty quickly. Most frameworks allow renaming or replacing the built-in admin account. If you allow SSH logins at all, root login can be disabled. Make an attacker’s life as hard as you can, don’t leave obvious usernames to be attacked.
Terminating the Problem
I had done my best to follow the above guidelines, so I wasn’t too worried about being compromised. The flood of notification emails was still a pain, and there’s always the remote chance an attacker could get lucky with a login guess or targeted fishing email. I chose a sort of nuclear option: using the web server’s configuration to restrict access to the admin interface. In Apache, within the “VirtualHost” stanza for that website, I added a “Directory” statement pointing at the administrative interface. In that section, a
Require ip statement allows me to block anyone else from even trying to log in to the site’s administration portal.
The module at work here is “mod_authz_host”, and it will take a network/netmask as well. If you don’t have a static IP, another option would be a VPN. If you use 10.0.1.x addresses, the statement would look like
Require ip 10.0.1.0/24, ensuring that your protected interface is only available to VPN clients.
Finding yourself the target of a botnet is never pleasant, but there are at least steps that can be taken to solve the problem, particularly when it’s as simple as trying to guess the admin password of a Joomla website.