For the past few days, our site has been hit by a guest whose IP address is 65.163.14.185 and is located in Grand Bank Michigan. Our log file looks like....
STI Sun July 19 2009, 02:37 PM 65.163.14.185 Guest User user login 434
STI Sun July 19 2009, 02:37 PM 65.163.14.185 Guest User user login 434
There are over 2600 attempts from this "Pain in the rearend" so far today. Is there a way to block this guest by their IP address? We believe that the idiot is trying to lock up our server.
Any help will be appreciated.
Harvey
I think we're being attacked
Number of replies: 9Re: I think we're being attacked
I would recommend this bit of software to automatically detect these sort of attacks and block them...
http://www.pettingers.org/code/sshblack.html
Failing that, Google 'iptables' (assuming you are on Linux)
http://www.pettingers.org/code/sshblack.html
Failing that, Google 'iptables' (assuming you are on Linux)
Re: I think we're being attacked
Hi,
If you go to http://www.whois.com and do a domain name lookup or search http://domains.whois.com/domain.php?action=whois by placing the URL above 65.163.14.185 into the search or Domain name: box and it should come up with the responsible party of your recent problems. Then you can decide what to do from there .. This is what my search result gave me as to the above information:
Whois Search Results
Domain Name : 65.163.14.185
OrgName: Sprint
OrgID: SPRN
Address: 12502 Sunrise Valley Drive
City: Reston
StateProv: VA
PostalCode: 20196
Country: US
As to why this is occurring I do not know or can not even speculate but you can find their contact information at Whois and ask them - I hope that this is useful. Thank you and have a nice day ....
If you go to http://www.whois.com and do a domain name lookup or search http://domains.whois.com/domain.php?action=whois by placing the URL above 65.163.14.185 into the search or Domain name: box and it should come up with the responsible party of your recent problems. Then you can decide what to do from there .. This is what my search result gave me as to the above information:
Whois Search Results
Domain Name : 65.163.14.185
OrgName: Sprint
OrgID: SPRN
Address: 12502 Sunrise Valley Drive
City: Reston
StateProv: VA
PostalCode: 20196
Country: US
As to why this is occurring I do not know or can not even speculate but you can find their contact information at Whois and ask them - I hope that this is useful. Thank you and have a nice day ....
Re: I think we're being attacked
I used Whois.com and found that it is part of Sprint. I contacted them and gave them the IP address of the pest. They then gave me a contact's name, phone number and Company. I called them and asked them to assist us with the investigation as to who and why we were being harassed. They wrote a ticket and said that they think that a computer virus was doing it from the computer that was attached to the IP address. They said that they were going to do a search of their logs as part of their investigation. Hopefully, this will put an end to the mischief.
Re: I think we're being attacked
We have not been pestered by this individual since my last posting, but I have a question....
Since Moodle captures the IP address of all who visit our site; both members and guests, is there a way of blocking IP addresses from getting to the site.
As an example....
Joe (pain in the backside) Blow wants to tie up our site. His IP address is ##.###.##.### as listed in the log file. Can I paste the IP address in a box with other IP address and when that IP address hits our site, their computer responds with a message that they have been permanently blocked?
Or bounce the IP before it even hits our site?
Since Moodle captures the IP address of all who visit our site; both members and guests, is there a way of blocking IP addresses from getting to the site.
As an example....
Joe (pain in the backside) Blow wants to tie up our site. His IP address is ##.###.##.### as listed in the log file. Can I paste the IP address in a box with other IP address and when that IP address hits our site, their computer responds with a message that they have been permanently blocked?
Or bounce the IP before it even hits our site?
Re: I think we're being attacked
Blocking be IP address had been added to Moodle 2.0 (not released yet), but I cannot see it in 1.9. Sorry.
Re: I think we're being attacked
The best way would be to use a firewall to block that address.
Re: I think we're being attacked
I have not seen the IP blocking in Moodle 2.0 yet but I strongly suspect this will not really help you much.
It will still tie up your Moodle site processing the IP blocking. I really don't think that this is the place to do it. You should block at the lowest level possible on your sever. Then, if they move on to having a go at some other service on the box you are covered. It will also be more efficient.
It will still tie up your Moodle site processing the IP blocking. I really don't think that this is the place to do it. You should block at the lowest level possible on your sever. Then, if they move on to having a go at some other service on the box you are covered. It will also be more efficient.
Re: I think we're being attacked
Harvey, why on earth would you want to block IP's on the website level? Its no use at all. I could spoof IP's and you will end up with a mega- database of blocked adresses... Your concern should lie with the guest user NOT being able to login with a dumbass password and having your logs being rotated. Not the fact that it's happening...
Every website with a login page gets a bot knocking on his door from time to time. Strong passwords and logging does the trick, if the attack goes on for more than an hour and is done by more than, say, ten machines (aka filling up your brandwith) your better of blocking with portsentry or iptables at te server level.
Realize that proberly nothing happend. You recorded (mentioned) 2400 login attempts witch is not that much to worry about.
Good Luck.
Every website with a login page gets a bot knocking on his door from time to time. Strong passwords and logging does the trick, if the attack goes on for more than an hour and is done by more than, say, ten machines (aka filling up your brandwith) your better of blocking with portsentry or iptables at te server level.
Realize that proberly nothing happend. You recorded (mentioned) 2400 login attempts witch is not that much to worry about.
Good Luck.
Re: I think we're being attacked
Cor,
Thank you for your posting. As it stands now, I'm "investigating" possibilities; options for the future.
Having options is good.... Having our back against the wall.... Not Good! Since I am but one person, I have found that the Moodle community in invaluable with providing options; and for this I am grateful.
Thank you for your posting. As it stands now, I'm "investigating" possibilities; options for the future.
Having options is good.... Having our back against the wall.... Not Good! Since I am but one person, I have found that the Moodle community in invaluable with providing options; and for this I am grateful.