Solved

Suspicious attemots to log in to website

Posted on 2014-07-17
13
217 Views
Last Modified: 2014-10-12
Hi, I'm running a County government website (using the DNN CMS). (Actually several websites)
The website only allows log in for a few administrators to update their content.

I noticed, starting yesterday, that every hour or so, there is a failed attempt to log in to the site. Each attempt uses a different username and comes from a different IP addess. I've done a "Who Is" on the IP addresses and they seem to come from various locations. One of the locations is:

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam

And there are others as well.

Any idea how I should deal with this to protect the site?

Thanks

Tom
0
Comment
Question by:tommelkonian
13 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40203573
Make sure everyone is using very strong passwords and no obvious usernames to boot like admin
This happens to many many websites and isn't something you can really stop.
It does help to make sure any login pages are not easily accessible if it is possible like links from the main website.
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 500 total points
ID: 40203832
I have had a client's DNN site attacked because because of a bad plug in.  After I tracked it down, it was so blatantly easy to google for this being used on the site, then send something to the url and bam, a pirate skull is now on the home page.  

1) Make sure you have nightly back ups to your db.

2) There are services that will offer continuous back ups and if you tend to update your db a lot, this is a good choice.  

3) Make sure all plug ins are up to date.  

4) Research all plug ins.  When was the last time it was updated?  Google, "my_plug_in_name my site was hacked" or "my_plug_in_name hacked" or something similar.   Some plug ins are written by people that just figured something out on their own, got it to work visually, but didn't really understand the implications of what they are doing.  I do think this area is your weakest link.

5) As Gary pointed out, you would be surprised about people and easy passwords.   The problem is, we don't think like the bad guys, we think like us and there for the password we think would be hard to crack is actually very easy.   http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

6) Don't put your admin area in an "admin" folder.   Just for fun, look at your logs and notice how many hits you have to "wp-admin" even though you don't have that folder.  Put your admin files in a folder that is not a common name.

7) Don't put link to your admin log in anywhere on the public facing site.  This means people will have to know or bookmark your admin area.

8) Make sure DNN is up to date.  I would suggest updating your test site with something new before updating your live site.
0
 
LVL 53

Expert Comment

by:COBOLdinosaur
ID: 40205181
RIPE is not the one trying to crack your login.  they are the registry for Europe, africa and the middle-east.  However the standards on servers running through RIPE are very loose and they have open proxies all over the zones they server.  These unsecured servers are used by hackers to mask their actual location.  You may be the target of a single hacker using many different proxies, or a group of hackers working on a co-ordinated attack.  

Your chances of tracking down the hacker are just about nil, and blocking the IPs will be little more than a inconvenience for them.  Your best defense is the information that others have already given you.  The only thing I would add is that you should consider enforcing strong password policies that require user to change passwords every 30 days and require password that are a minimum of 12 characters that include upper and lower case letters; numbers and symbols.

Cd&
0
 

Author Comment

by:tommelkonian
ID: 40205577
Thanks for the info. I'm going to go through and address all these things (Not many plug ins on our site). We do have regular backups of database and code base.  Turns out DNN has a Login IP Filter which can allow or deny logins based on IP address. So I'm going to to attempt to only allow logins from users within our network which should be a good start.

Thanks again

Tom
0
 

Author Comment

by:tommelkonian
ID: 40209874
Looking into the Login IP Filtering in DNN, for the purpose of restricting Logins to our website only to people on our network. It would work by setting up a rule to only allow logins from a given IP address range. Not sure whether this is going to work for us. Are there ways to accomplish this kind of Login Ip address filtering in IIS 7?

Thanks

Tom
0
 
LVL 4

Expert Comment

by:FrankCrast
ID: 40211628
Have you considered adding two-factor authentication (2FA) solution for your website? This would especially add value for administrative access to sensitive sites where admins would be required to present a one-time password (OTP) via soft token, hard token or smart phone.

This single control can help prevent many unauthorized logins to sensitive sites and is a necessity for remote access as well (e.g., telecommuters or folks traveling that need to login remotely to your network).

Although I'm not familiar with your setup, some cloud providers (like Amazon AWS) offer free versions of 2FA (e.g., Google Authenticator) and also you can restrict access to specific ports via firewall rules (e.g., RDP access). This may be more difficult to do for HTTP/HTTPS access if you still require access to other pages for non-admins.

2FA could be considered in addition to recommendations previously provided (e.g., monitoring, restricting access by IP, hiding/removing admin login portal access from public access, etc.).

I found a few articles that may help for restricting access via IIS7:
http://technet.microsoft.com/en-us/library/cc730889(v=ws.10).aspx
http://forums.iis.net/t/1153158.aspx?How+to+restrict+a+IIS7+web+site+to+a+specific+range+of+IP+address+

Hope this helps.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:tommelkonian
ID: 40220086
Thanks Frank.
Not sure if 2FA is exactly what I need but will look into it. Might work specifically for our admin logins (which are the most sensitive).
I have looked at the IIS7 request filtering (thanks for the links). I still don't see how I can restrict access to just the admin area (or perhaps the login page itself) to all but a specified IP Address range.
I haven't figured out how to achieve this is IIS7, or by using the 'Login IP Filter' provided by DNN (still waiting for replies on DNN's forum about this feature).
It is a public website, so I do need to keep the public pages open to all users. So I can't restrict the entire site. I need to just restrict login page/ admin area.

Thanks again, any other information is welcome.

Tom
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40220117
have you considered using url rewrite to do this? it'll allow you to set IP restrictions:

https://docs.gosecureauth.com/display/docs/URL+Rewrite+-+IP+Restrictions
0
 

Author Comment

by:tommelkonian
ID: 40220195
Thanks. I still don't see how to restrict only the admin area and login page of the website in URL Rewrite. But I'll check in to it.

Tom
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 40221023
You might want to try and use the Active Directory for log ins.

https://dnnauthad.codeplex.com/documentation
0
 

Author Comment

by:tommelkonian
ID: 40227477
Thanks for that suggestion (Active Directory). But it appears that method works for an intranet, would it work for a public (internet) website?
0
 
LVL 1

Expert Comment

by:Richard Francis
ID: 40337692
You could potentially also use a .htaccess file to restrict access to the log in folders.
0
 

Author Closing Comment

by:tommelkonian
ID: 40375808
Thanks for all the info.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now