Hi,
we are facing a problem of multiple fake login attempts. Looking at logs I can see almost every minute a silly name try to login to our Moodle (with wrong on not existant password).
We are using 4.1.1.x release (I updated it 3 days ago) and the host is Aruba.
Even if I delete every additional plugins and I choose the standard theme (deleteing the one we use), we are going on having the same problem.
Any idea?
Thank you in advance.
Filippo
Black Hats (BH) are always ahead of White Hats (WH) until WH catch up but then the BH find another way.
Hosting on systems where you are not in total control puts you at a disadvantage ... if your provider won't install things like mod_security or mod_evasive.
There are some things that you could do ... that will probably lead to some pain at first ... and won't be 100% ... but better than what you have now ...
Concepts - block/stop as far away from your server as you can and one might have to also block at the network layer (which might require you to upgrade your hosting to a VPS (un-managed).
First, investigate what you can do ... software wise ... research
CloudFlare
Moodle plugin for Multi-Factor
https://moodle.org/plugins/tool_mfa
If you had greater control over your firewall, one could put the peskiest IP addresses or range of IP addresses in a drop zone of the Firewall of your server. That's at the network layer. It also requires you to do more investigation of the IP addresses and range of IP addresses. Example: don't think any of your valid students would be using a browser from a DigitalOcean (DO) Server. If after looking at logs of server you see several coming from DO servers you could block a range of IP addresses that included most DO servers - those bots won't see *anything* of your server (note: they will try proxies at that point).
Above takes time and diligence once you begin. You could eventually get to a point where you only have to work on such stuff once a week!
'SoS', Ken
I recommend you to install fail2ban on your server. It's a software package that scans the logs of your server, searching for failed logins, accessing non existent scripts and various other configurable "mistakes" bots usually make. Based on that, fail2ban will block access for those IP's completely (or only one service) for a chosen time (minutes, hours, weeks, ...)
It's not so easy to make it scan Moodle logs, but it's very likely that those bots get filtered out because they try to do loads of other stuff wrong on your machine, not visible in the Moodle logs.
If your're interested, I can share you my configuration file - it gives a good idea from what it can do to protect your server. Default settings are not enough.
It was just an observation! But IF someone will pay me for that idea, I'd gladly accept!
Expanding ...
those that register their site with Moodle share with Moodle info about
their site. Wish Moodle would also collect at least hosting provider + package (shared system or dedicated VPS - although I know that would be hard to determine).
https://www.websiteplanet.com/web-hosting/aruba/
Just about every hosting provider on the planet does WordPress ... but 'good environments' for DIY Moodle(s)? When one first begins to shop for hosting one doesn't really know the questions to ask! Even if you did, sales will promise anything! :|
Am not saying that the site above is 'right on target' ... cause there would
be some criteria for a Moodle not covered in their reviews of hosting that I would include having learned from previous experiences in hosting DIY Moodle(s).
I chuckle when I see '99.9% uptime'!!!! Can meet that criteria by ping but that doesn't mean one has 99.9% uptime for applications! (network comes before applications)
Anyhoo ...
'SoS', Ken
No doubt an MP is the 'best' ... if one can afford it. Am talking about the DIY folks! ;) If am not mistaken, makes up the majority of Moodle sites.
Have been in these forums for many years. Don't think I've ever seen any discussion in 'community' objecting to Moodle HQ collecting at least where sites are hosted ... especially if admin has checked the box to publish the url when registering their site. Could be a box on that form for 'provider if known' that's not required.
https://stats.moodle.org/sites/
100% accuracy would be difficult for sure given things like CloudFlare ... but a ball-park - X number host with DigitalOcean, or OVH, or HostGator, etc. ... just the top 10 would be nice.
Hmmmmm ... looks like a job for a Chatbot!
'SoS', Ken
Discussing this in Security and Privacy. Hmmmmmm ... and by far, the following isn't going to be 'popular' with the Moodle 'faithful' and maybe no longer the focus of Moodle ... but .... here goes:
https://listedtech.com/blog/update-on-the-k-12-lms-historical-market/
There's an image ..
% of New K12 LMS Implementations per year.
"Moodle, which had the most new implementations between 2005 and 2012 (see graph below from last year’s post) is now hardly being selected."
I realize that's K12 - but think one might find similar in Higher Ed and in other 'industries'.
For an individual - small biz?
In San Antonio, Tx there is a non-profit which attempts to help small to medium businesses ... Moodle isn't on anyone's radar.
My 2 cents!
'SoS', Ken
