Admin Account Being Attacked / Hacked

[kane1x10]

I see in my joomla site logs that someone is trying hundreds of times every 4 hours to login as "admin".


User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10221
User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10220
User admin tried to login to admin Users 2 hours ago. Administrator 193.106.31.130 10219

That goes on and on for a couple hundred and then repeats about every 4 hours.

Is there a way to blacklist 193.106.31.130?

It is known to be a hacking site located in Ukraine. https://www.abuseipdb.com/check/193.106.31.130

 

[Anna]

The IP should now be blocked in our firewall.

 

[kane1x10]

Wow! Such quick response. Thanks a LOT!!

Looking at the logs, that IP should have tried again in the past half hour based on the past pattern. Looks like it is not getting to "try"
to login anymore.

 

[kane1x10]

Dang. :-( That same IP is back today. It showed back up at 6:50 PM yesterday. Same pattern as before. The blacklist didn't hold.

 

[mycoo368]

Dang. :-( That same IP is back today. It showed back up at 6:50 PM yesterday. Same pattern as before. The blacklist didn't hold.

The only thing I miss with cPanel. The IP manual block. Something I could suggest is to use Cloudflare as the security aspect where you can go in and block the IP

 

[spacresx]

You can use an htaccess file to block the ip address.
this is the format that i use:

ErrorDocument 403 http://127.0.0.1
Order Allow,Deny
Allow from All
#
Deny from 193.106.31.130
Deny from 193.106.31.0/24
Deny from 193.106.0.0/16
Deny from 193.0.0.0/8

just select which "Deny from" you want to use.
i use the "ErrorDocument 403" to localhost the ip's that i block.
thats optional you dont have to use it.

 

[garrettroyce]

You can use an htaccess file to block the ip address.
this is the format that i use:
just select which "Deny from" you want to use.
i use the "ErrorDocument 403" to localhost the ip's that i block.
thats optional you dont have to use it.

Good suggestion. Just a note that the ErrorDocument is not required, but using 127.0.0.1 is pretty funny. The file should go in your public_html folder and is named ".htaccess" (no quotes). The file may already exist, just add your code at the top of the file. IP address can be blocked via full IP, partial IP, or IP block.

Deny from 1.2.3.4 # denies 1 IP address
Deny from 1.2.3 # denies 256 IP addresses 1.2.3.0 to 1.2.3.255
Deny from 1.2 # denies 32,512 IP address from 1.2.0.0 to 1.2.255.255
Deny from 1.2.3.4/32 # denies 1 IP address 1.2.3.4
Deny from 1.2.3.4/31 # denies 2 IP addresses 1.2.3.4 to 1.2.3.5
Deny from 1.2.3.4/30 # denies 4 IP addresses 1.2.3.4 to 1.2.3.7

Some of the block and partial IP address syntax can be tricky and can end up blocking the wrong people (eg "68" or "/0") so be careful. Your x10 administration panel isn't bound by this rule.

Please post if you have any further trouble. Please also note that your .htaccess file may contain sensitive information about your website, so make sure you know what you're posting.

 

[kane1x10]

Great idea. I had forgotten about the .htaccess file. Blocking at the firewall for this kind of source is probably better. It is nothing but a bad actor.

The address was gone again during daylight yesterday, CST. Then it came back overnight. It's as if the firewall block goes away.

I will try the .htaccess file and see what that does. This is my Administration for joomla site, so the path is that home, and not my regular site home. I added the deny to both files anyhow.

 

[Anna]

Yeah, I did readd it to firewall yesterday, as it had for some reason been removed. I'll investigate to see if there's a better way to do it, so it stays permanently blocked.

 

[kane1x10]

Nothing since I added the deny in .htaccess. Not sure if that alone did it or if the firewall block is sticking now.

 

[garrettroyce]

Thank you for following up. Please let us know if the issue occurs again.