In early March 2013 we started seeing a huge increase in brute force attacks, particularly against Wordpress driven websites. In the days and weeks to come, organizations all over the world started noticing and reporting this as well. For example, by mid April the US-CERT (Computer Emergency Readiness Team) had written about it.
You may recall emails from us warning Wordpress users to install security plugins to combat the abuse. Some folks did and it helped, some folks did and it caused other problems, and some folks didn't do anything. We quickly realized that we had to do something globally to combat the problem, and began developing an abuse detection system.
This system scans updated apache log files every 5 minutes: looking for patterns of abuse: those hitting Wordpress' wp-login.php or Joomla's administrator/index.php URLs, (the most heavily abused targets), and others as well. When abuse is detected, the offending IP addresses are null routed at the server--cutting off all access to the server by the abusers.
This is far more protective than security plugins that we have to rely on Wordpress users installing, and which only temporarily block abusers' http access. This system has been very effective--stopping even highly distributed attacks from thousands of simultaneous IP addresses. It has also experienced false positives along the way and we've had to manually unblock clients who have been incorrectly blocked.
Understand that this system only blocks IP addresses that are hitting website backends--not regular users. In other words, for a Wordpress site, anyone trying to access the Wordpress admin backend via the wp-login.php login page may be blocked. A regular user browsing a Wordpress website will never be blocked. Some clients incorrectly blocked by the system have expressed concern that the system may be blocking their users, but this is not the case. The system is only looking at traffic to administrative logins, which is where the abuse is directed.
Any IP address that has logged into a BlueSkyHosts.com account is whitelisted for a month. As a website owner, if for some reason you do find yourself blocked when using your website admin area, you probably haven't logged into your BlueSkyHosts.com account from your current IP address. If you do, you'll be automatically unblocked within 5 minutes. So, just remember if you find yourself blocked for any reason, just log in to your Blue Sky Hosts account and that should unblock you--as well as whitelist your current IP address for a month.
Incorrect blocks are usually caused when we've seen an unusually high level of abuse directed at your site, and we've increased the sensitivity of the abuse system specifically for your site to fight it off. When we do that, your legitimate use of the Wordpress backend, Joomla backend, etc. may block you. This should affect only a few clients from time to time, and logging into your Blue Sky Hosts account will clear it right up.
This system has so far kept server loads at low levels and has reduced bandwidth across the board from abusive sources, increasing server stability and website performance.If you have any questions or concerns just submit a support ticket to firstname.lastname@example.org
Thursday, August 15, 2013