Are malicious CMS website login attempts really what they seem?

OK … You’ve developed a nice CMS website and secured the hell out of it.  Your security watchdog immediately starts reporting bogus attempts to login to the site’s backend from all over the world.  You’re all over these shysters and ramp up your security even tighter in an attempt to lock them out for good. So every time your watchdog detects a login attempt with an invalid username more than 5 times per minute, you block the IP address of the connecting server from  accessing your website for a specified period of time or perhaps ever again.

Thoughts & Findings:

  • Bots are really good at hiding their actual location so the IP address your watchdog is reporting to you could be spoofed, which means you may be blocking legitimate visitors who want to use your products or services from accessing your website.
  • I’ve come to the conclusion that someone trying to login to the backend of my website with a username such is “yachaq” (an example from earlier today) is probably not actually trying to login to my website’s backend so there must be an ulterior reason for their bot to try to guess the password 5 times within a minute but my watchdog has blocked the supposed IP address, which happens to be located in France in this case, for 1 month.
  • It might look more legit if the username they were using was “admin” or “support” or “administrator” but “yachaq” seems to be a totally wasted attempt to me. Or is it? I searched for the word and my search engine results showed yachaq as being a Hindi word meaning “solicitor”, which I suppose could be loosely translated to “administrator” or something of the sort.
  • Having said that, six hours earlier, the same website blocked an IP address from Belgium for trying to login 5 times with the username “debbie”.  One might assume they do this with hopes of hitting a valid username and with hopes that there is no throttle counting password guesses. If you have no throttle, the bot could hammer your website with thousands of password guesses in a couple of minutes. This has several negative ramifications, even if they don’t get in.
  • Every CMS site needs some kind of watchdog to throttle login attempts.

Ulterior Motives & Issues:

  • The hackers may be intentionally trying to get us to block certain IP addresses (or as many as IP addresses as they possibly can get us to block).
  • The hackers may be trying to clog webservers or “the internet” in general with fake traffic
  • The hackers are causing fake hit statistics.  If you do not block them after a certain number of attempts, their bots could push thousands of attempts at your website in minutes, throwing off your hit stats.
  • The hackers could be causing you to block legitimate visitors if they are using the same web server or even the same server cluster.  For example, if they are using a “Web Hosting Provider X” to host their bot and you block the IP address of “Web Hosting Provider X”, or range of IP addresses or the host name, which I often do, you could be blocking legitimate visitors from visiting your site or communicating with you because their mail server could also have the same IP address.
  • Some watchdogs allow you to do “country blocking”. This means any IP address supposedly originating in a county you have blocked will not be able to visit your website. This could be fruitless because a good hacker can spoof their IP address or use server hopping techniques to disguise their location.

What to do?:

  • You tell me. You’re damned if you do, damned if you don’t.
  • One thing you could do is pay for a Premium watchdog and let them manage blocking proactively. The good ones maintain databases with a list of bad actors and block them on the way in.  However, Premium watchdogs are expensive and come with a monthly fee that could double your hosting costs, or more, for a single site.
  • Rather than blocking IP addresses, you can try to establish the hostname.  I’ve found that some hack attempts originate from the same hostname with different IP addresses.  There are online resources out there that will return the hostname to you if you plugin the IP address. https://myip.ms/ for example, but sometimes it does not return a hostname but it will give you the IP address range assigned to the same cluster.

Disclaimer … I am by no means an internet security expert. I do create websites, do my best to protect them, scan them regularly and try to keep them clean. Every morning my inbox is full of reported login attempt messages and IP address blocks sent to me from the watchdogs that I use.

I just decided to post this rant because some of the usernames being used in these login attempts are so ridiculous that they really can’t be trying to login and there must be an ulterior motive.

… and so on