For the third time in under a week my server has been crashed by someone trying to brute force Shadowslave's password file. Before this week we've always had a couple of attempts per week, but it's never even slowed the server down before.

Sami (from serverprovider.com) says there's nothing in the logs, so there's nothing he can really do. We're running Strongbox and so we have to keep renaming login.cgi to something random for a couple of hours until the hacker wannabe gives up and moves on. However for the couple of hours that login.cgi is renamed nobody can log into the members area. So far my memebrs have been cool about it, but I'm kinda worried if this keeps up I'm going to start getting chargebacks.

Sami's suggestion was to ditch Strongbox and get Proxypass instead. Can I have some opinions/ideas from you brainy folk please?

get the IP and lock it out or firewall it + get a decent script that will lock them out on auto

there is no reason for a good script to be crashing your server

that sort of protection you can do it piece of piss without even a script you can pipe a log thru a script no need for CGI

I am not brainy when it comes to servers, but wish you well for getting it sorted and keeping the scummy bastard twats away from your server :)

Im not a server admin (far from it) but I have a strong technical background - surely if something / someone is hitting your server then the logs HAVE to show it??

Jase

For the third time in under a week my server has been crashed by someone trying to brute force Shadowslave's password file. Before this week we've always had a couple of attempts per week, but it's never even slowed the server down before.

Sami (from serverprovider.com) says there's nothing in the logs, so there's nothing he can really do. We're running Strongbox and so we have to keep renaming login.cgi to something random for a couple of hours until the hacker wannabe gives up and moves on. However for the couple of hours that login.cgi is renamed nobody can log into the members area. So far my memebrs have been cool about it, but I'm kinda worried if this keeps up I'm going to start getting chargebacks.

Sami's suggestion was to ditch Strongbox and get Proxypass instead. Can I have some opinions/ideas from you brainy folk please?

Hey Rosie, i used to use strongbox and had this exact same problem. The sheer amount of hits to login.cgi just brought my servers (3gig dual xeons) to there knees and my server loads went sky high when i had a biggish attack.
Ray was helpfull and spoke with my server company but a fix wasn't found.

I switched to Proxypass sometime ago and things have been perfect (touchwood!). Also, once you've got the initial install done on your server, any new sites you add with a login is all set to go. Ie: you don't need an install for each domain.

Hope that helps :)

Toomuchmedia (nats) have brought out a new password management/protection script called sparta not sure what its like but what caught my eye was

"While protecting your website from intruders SPARTA also reduces your server load by using load efficient sessions which allow apache to not require reauthentication of the member on every server request."

I think the price is $50 per month but Im not a 100% sure on that.

get the IP and lock it out or firewall it + get a decent script that will lock them out on auto

there is no reason for a good script to be crashing your server

that sort of protection you can do it piece of piss without even a script you can pipe a log thru a script no need for CGI

I hear ya - however the clever little shit is using proxies, so his IP changes 8-15 times per minute. Bugger all Sami can do about that.

OK sounds like proxypass is my way forward. That or nuking Russia :)

OK sounds like proxypass is my way forward. That or nuking Russia :)

If you have the capability then go for option 2 :devil:

I hear ya - however the clever little shit is using proxies, so his IP changes 8-15 times per minute. Bugger all Sami can do about that.


its easy ok pipe a custom apache the log thru a perl script that records the ip's / usernames and counts atempts then set thresholds like
if the same IP uses more than 2 diff logins you write a block in to .htaccess

I use a custom apache logged piped to a perl script for freehosting and it compares the number of files downloaded and the average request size vs what type of files IE image or HTML

So if a site has average request size say over 200kb and less than 1 in 50 files requested is an HTML file you know its some kind of download bandwidth waster site so you delete it runs realtime

it might take a few hours but in the end you would get all his proxies

also you migth be able to look at what ports stuff is coming in on and other headers to detect and block him

For the third time in under a week my server has been crashed by someone trying to brute force Shadowslave's password file. Before this week we've always had a couple of attempts per week, but it's never even slowed the server down before.

Sami (from serverprovider.com) says there's nothing in the logs, so there's nothing he can really do. We're running Strongbox and so we have to keep renaming login.cgi to something random for a couple of hours until the hacker wannabe gives up and moves on. However for the couple of hours that login.cgi is renamed nobody can log into the members area. So far my memebrs have been cool about it, but I'm kinda worried if this keeps up I'm going to start getting chargebacks.

Sami's suggestion was to ditch Strongbox and get Proxypass instead. Can I have some opinions/ideas from you brainy folk please?

Have you spoken to Ray about this?

Have you spoken to Ray about this?

No I didn't want to hassle him as I'm not sure he can do much about it.

Unless he has a spare nuke sitting around :devil:

its easy ok pipe a custom apache the log thru a perl script that records the ip's / usernames and counts atempts then set thresholds like
if the same IP uses more than 2 diff logins you write a block in to .htaccess

OK, let me give you some idea with the biggest problem with this idea...

What's an apache? What's a threshold? What's an .htaccess?

You get my drift? I'm technologically incontinent :(

No I didn't want to hassle him as I'm not sure he can do much about it.

Unless he has a spare nuke sitting around :devil:

I would speak to him before doing anything.

OK, let me give you some idea with the biggest problem with this idea...

What's an apache? What's a threshold? What's an .htaccess?

You get my drift? I'm technologically incontinent :(

Is your server managed? If so then just get them to do this for you! Its why you pay a management fee :D

Is your server managed? If so then just get them to do this for you! Its why you pay a management fee :D

My thoughts exactly.

I guess it's managed - I just have Sami doing anything even vaguely techie to be honest. I don't think I pay any extra to have Sami standing by to put things right when I screw things up *Shrugs*

A DoS or hack attempt attack is not your screw up though!

OK, let me give you some idea with the biggest problem with this idea...

What's an apache? What's a threshold? What's an .htaccess?

You get my drift? I'm technologically incontinent :(


well hit me up if you want me to sort it out its not too hard but basically your problem is the script you have is a POS if its doing that to the server

No I didn't want to hassle him as I'm not sure he can do much about it.

Unless he has a spare nuke sitting around :devil:

I actually have several spare nukes sitting around that can be very helpful in
situations like this. It's quite possible you won't need any major changes or
additional plugin scripts and simply updating Strongbox will take care of
your needs, but here's some info on the various options I have available.
On some servers, such as those running RedHat 9 with the default settings,
it's simply a matter of adjusting two Apache configuration directives that
by default were set VERY badly. These two directives, MaxClients and Timeout,
interact in such a way that on a RH9 box simply requesting a page once every
two seconds would bring the web server down.

The big weapon of mass cracker destruction does as Spanno
suggested and blocks the attacking IPs at the firewall level. It does this
automatically based on the IPS detected as attackers by Strongbox.
This is extremelyeffective at signicantly reducing load during an attack.
To do anything with the firewall does require root access, though, so
that's only an option if you have a dedicated server.

Spanno also mentioned blocking in .htaccess using a script that adds IPs
automatically. I have a script for that too which plugs into Strongbox.
It's much more efficient with Strongbox than with any other system because
you only have to put the .htaccess on the Strongbox script directory rather
than on the whole members' directory.

There are also tweaks that can be done to the settings. The first is to make sure
you have the Turing Images fully enabled by setting $image_login = 1 in cgi-bin/sblogin/config.pl. That will reduce load during an attack with any version
of Strongbox, but I also recently updated the related code to further reduce load,
so I can make that update for you.

Also, there is fine tuning that be done to balance various priorities depending on
how many sites are on the server, how busy your sales pages are, etc.
Some sites use free galleries to generate sales or other high traffic sales
pages, so it's important to reserve sufficient system resources to run the sales
pages no matter what happens with the log in script. On other sites all of the traffic
come pre-screened from affiliates so we can allow the log in process to use more
resources to handle an attack since the sales pages don't require significant resources.
Similarly, on a shared server with 40 sites on it we can't devote so much of the
server resources to one site that it may cause problems for other sites.
On the other hand, if there's only site on the server we can allow it to use
all available resources, minus a small amount to keep the server responsive
to admistrative commands. These are the kinds of things we can tune to put
the server's capabilities to work where you need it most and reserve appropriate
resources for whatever needs them. Also of course some servers are just
more powerful than others. I recently took a 500Mhz Pentium out of service
that had 4 GB of disk space and 256 MD of RAM.
Our password spider runs on a 2.8 Ghz system with a 250 GB RAID array and
a GB of RAM. The spider machine is about 10 times as powerful as the other,
so in a demanding application we would tune Strongbox differently on the two
boxes.

Shoot me an email if you would with any relevant info you can think of - especially
access information and any records of the problems you had such as "top" output,
etc. Sometimes when you look at what's going on it can be a bit decieving if you
aren't experienced at decoding the real meaning of what you're seeing, so it's
very helpful if I can look at the information myself. An example is that there will
often be a lot of copies of login.cgi "running" during an attack, but if you look
closer you'll see that they aren't actually "running" at all, they are in fact
SLEEPING, simply tying up the attackers connection without using any siginificant
system resources whatsoever.

Thank you Ray - I've asked Sami from Serverprovider to come look at this thread coz frankly it's all Greek to me - I really need to learn how bloody webservers work as I haven't a clue.

As far as I'm concerned webservers are magical creatures being taken care of by an army of pixies. So I've asked the cheif pixie to come and translate it into moron speak for me :)

Ok, Rosie, I'll be looking forward to hearing from you or Sami.
Here's the simplified executive summary of all that I've said:
I've looked at the kinds of things you're having trouble with an come up with good solutions.
With these solutions, some of the world's busiest adult sites are using Strongbox
without a problem.
I'll look at your settings and it may just be a setting on your server that's not set very well.
If it's not just a settings issue, Sami and I can probably do the firewall solution and you
won't have any more problems.

A DoS or hack attempt attack is not your screw up though!

Exactly. Your host should be able to sort this, there are definate ways to solve this. You pay for managed servers, let them start managing :)

FYI I got her taken care of later that day.
I haven't heard anything back regarding the firewall plugin,
which is the one thing which requires the hosts cooperation
or the root password, but she should be pretty well covered
with the other stuff that I did.

FYI I got her taken care of later that day.
I haven't heard anything back regarding the firewall plugin,
which is the one thing which requires the hosts cooperation
or the root password, but she should be pretty well covered
with the other stuff that I did.

I was very confident that you could sort the problem there and thats why I advised her to contact you before doing anything drastic. :)

Ray did indeed sort me out - and Ray I promise I'll answer your mail first thing in the morning. You're a star :)

For those of you on dedicated servers with root access and are comfortable implementing a firewall/IP blocking solution...

I found the combination of APF Firewall and BFD (Brute Force Detection) solved the problem for me in relation to this problem. Both of these can be found at : http://www.rfxnetworks.com/proj.php

Highly recommended.

HTH,

Jax.