More Security Questions: BFD, how to make it work with apache

So I installed BFD using some info from the forums, really easy / quick install. I tweaked the config and started it up.

It has a lot of default rules that look like they’ll do just fine, but my main reason for installing this is to protect websites, especially wordpress sites that get hammered on the login page. Some clients I’ve had them use the method of changing the login directory for wordpress, but some are afraid of issues with other plugins. The security features in the site still block / ban IPs at the site level, which should keep Wordpress safe, but still puts a useless load on my server.

So for example I’d want BFD to block IPs at the APF firewall level when they that start doing 5000 request to wp-login.php.

My other thought specifically for wordpress was to use the Wordfence plugin email alerts about an IP being block (at the site level) piped into a PHP script that would then update the den_host.rules APF file and restart APF.

Thanks for any ideas, comments, thoughts!!! :cool:

Hi Jon

I’m pleased bfd went well and I hope you don’t mind, but some of your post makes me think your been given an amplified attack, perhaps, which if so, would 2 fold, either break in or complete a DDos.

When you say 5000 request, is this from a small number of ip or from 5000.

Have you had a look at honeypot, if not you may want too, and you could set your own honeypot and perhaps write a script to include browser blacklist protection. I’m sorry if I have the actual name wrong, it’s late here sorry.

I hope it helps a little and I’ll give it more thought anyway.

Many thanks

John

I’ve had at least one Wordpress site have block a single IP address after the failed attempt max out. Then it reported that it had stopped about 45,000 attempts!! This has happen more than once. That’s why for this particular site I also installed Better WP Security and did the move /wp-admin to another undisclosed name. I did this because even with the Wordfence plugin blocking the request the load was the same. Moving the admin folder made it so these attempts never happen.

Another site is just getting a DDOS attack. Never the same IP twice, probably at least 50,000 different IP address and burning through about 20GB of bandwidth in a few days on a site that doesn’t even use 1GB in a month ever. I’ll I did there was change the apache conf file to block a particular user agent that all the request were coming from and returning a 403. Still though, it’s putting a small added load on my server and wasting BW. I know there is nothing BFD can do about this DDoS attack because they are using so many IPs, but would be good for the Wordpress sites that get hammered by a single IP.

Not sure what you mean by honeypot in this particular case? Maybe basically what I did above with the 403 covers what you were thinking?

Hi Jon

Many thanks, and sorry, it’s honeypot.org, which may help as it’s most likely bots that are requesting, and if you have honeypot installed, may help the wider community. We use honeypots.

Many thanks

John

Thanks, I’ll check it out, because as far as the DDoS goes, with 50k+ IPs (so far), I’m not sure what else to try.

Hi JOn

I’m sorry, this is the link I meant to post to see if it helps your a little.

We use honeypots, and catch quite a few but we never advertise which websites contain honeypots, and they also work if you are using a CDN, or Cloudflare etc.

Many thanks

John

https://www.projecthoneypot.org/faq.php#g

Please click the above link to read more

What is http:BL?

Http:BL is a way for website administrators to take advantage of the data generated by Project Honey Pot and keep malicious or suspicious IPs off their websites. The service works by publishing DNS records for IPs we have seen conducting suspicious or malicious behavior online. Website administrators can then use this data in order to restrict access to their web servers for these IPs.