Post by thanos74 » Mon Apr 04, 2022 6:16 pm

ADD Creative wrote:
Mon Apr 04, 2022 6:11 pm
thanos74 wrote:
Mon Apr 04, 2022 4:45 pm
I have the same problem....
Which is the better code to avoid Bruteforce in /admin ?
They both do the same thing. It is probably more efficient to do the same in htaccess. That was the server doesn't have to start a PHP process.
viewtopic.php?f=179&t=225771&start=20#p836216

If the IP addresses you access the admin from doesn't change it is best to add an allow list and ban all others.
There are dynamic IPs.... so, it is better in the htaccess.
Thank you

New member

Posts

Joined
Thu Nov 05, 2015 4:55 pm

Post by thanos74 » Tue Apr 05, 2022 7:15 pm

I set the in htaccess:

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/.*$ - [F] 
I see login attempts at https://mail.example.com/admin

New member

Posts

Joined
Thu Nov 05, 2015 4:55 pm

Post by ADD Creative » Tue Apr 05, 2022 7:49 pm

thanos74 wrote:
Tue Apr 05, 2022 7:15 pm
I set the in htaccess:

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/.*$ - [F] 
I see login attempts at https://mail.example.com/admin
Can you explain in more detail?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by thanos74 » Tue Apr 05, 2022 7:54 pm

Attackers tried from subdomain mail to /admin
https://mail.example.com/admin

New member

Posts

Joined
Thu Nov 05, 2015 4:55 pm

Post by ADD Creative » Tue Apr 05, 2022 9:03 pm

thanos74 wrote:
Tue Apr 05, 2022 7:54 pm
Attackers tried from subdomain mail to /admin
https://mail.example.com/admin
It's not unusual for bots to try a range to locations. What the result is depends on how your server is set up.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by websiteworld » Fri May 06, 2022 7:46 am

We restrict access to the /admin/ folder by permitted IP addresses. Solves the problem entirely and is a good overall practice.

User avatar
New member

Posts

Joined
Thu Oct 18, 2012 3:11 am


Post by by mona » Fri May 06, 2022 10:06 am

websiteworld wrote:
Fri May 06, 2022 7:46 am
We restrict access to the /admin/ folder by permitted IP addresses. Solves the problem entirely and is a good overall practice.
This suggestion will work for static IPs.
As a suggestion to websiteworld, it would be more helpful if you would provide the community with at least one methodology of implementation.
viewtopic.php?t=135240
same logic
https://wpbeaches.com/secure-wp-admin-f ... -htaccess/

DISCLAIMER:
You should not modify core files .. if you would like to donate a cup of coffee I will write it in a modification for you.


https://www.youtube.com/watch?v=zXIxDoCRc84


User avatar
Expert Member

Posts

Joined
Mon Jun 10, 2019 9:31 am

Post by garyw75 » Mon Jun 20, 2022 9:22 pm

Just my twopence and what we did. It might help someone. We are not server techies but this worked for us.

We have 3 servers that have several hundred installations of Opencart on them and they are all being hammered and have been for a while. The servers have fallen over a few times due to the load. Its around 600-800 IPs hitting each server.

There are various methods of attack by the looks of the logs, so we think there are different versions of the brute force script in circulation. We have seen one that first connects to the admin page and then attempts a password so the blank referer PHP code in this thread doesn't work and the plugin in the marketplace isn't effective. Obviously still install it as it does help.

Weirdly which ever method/script they are using the Useragent is always the same which makes me think the script circulating might be encoded. The script kiddies cant change it. Lets face it, if you cycle the Useragent in your code, its going to be a lot harder for people to block.

Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

It was pretty impossible for us to connect everyone to Cloudflare so we were just brutal with the following block using Apache to get the servers back under control.

We blocked "Ubuntu" to immediately mitigate the script and in case the browser part of the Useragent changed. Yes, it will block who ever will be using Ubuntu to browse your shop but don't worry, that one bloke wont buy anything ;-)

If you are just protecting one site then you can specify <Directory "/home/whatever/admin"> but since we had about a hundred on each server we put this into the Apache conf:-

Code: Select all

<Directory "/">
SetEnvIfNoCase User-Agent "Ubuntu" bad_bots
<RequireAll>
     Require all granted
     Require not env bad_bots
</RequireAll>
</Directory>
The next bit is a little rudimentary and a server techie could probably do something in Bash to achieve the same thing.
You need to be running a firewall. We use CSF but any will work.

Go into your logs folder and grep all the logs for the Useragent :-

[root@host domlogs]# grep -r "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" * > block.csv
This gave us about 500k lines in the block.csv file

Import this CSV into Excel and choose the delimiter that is directly after the IP. Ours was a - (This will be different from server to server)
This will put all the IP's in the first column of the Excel sheet. We then removed the duplicates (Google how)

We then added those IP's into the block file of our CSF filewall so they are blocked reducing the load on the machine
Any new IP's hitting the admin gets a 403 forbidden server error due to the Apache block.

Our server load went from over 60 back down to under 3 again pretty quickly

178.62.213.36 - - [20/Jun/2022:13:06:24 +0100] "GET / HTTP/1.1" 403 - "https://www.co.uk/admin/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

A bit hack and slash I have to admit and someone that knows what they are doing would probably offer some tips to improve it.

New member

Posts

Joined
Thu May 12, 2016 7:59 pm

Post by JNeuhoff » Tue Jun 21, 2022 1:34 am

@garyw75: Since you run your own servers, wouldn't it just be easier to implement proper rules in a WAF, using the logic discussed earlier in this forum thread?

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by garyw75 » Tue Jun 21, 2022 3:31 pm

We actually run two, hand in hand. CSF and Imunify360.

Immunify support which we pay for could not mitigate it either. They gave up in the end and fobbed it off as a DDOS attack to wiggle out of helping.

We certainly tried every suggestion from this thread and many others, and as the others have reported you cant 100% mitigate it. We have now implemented some mod_security rules to bolster up the protection.

The other suggestions, Ninja etc require a per site configuration and setup as with all the PHP code suggestions and .htaccess blocks. A very long process if we had to sit and do that for hundreds of sites.

If you run just your own Opencart installation. Just .htaccess the admin to your own IP. Super simple. End of attack.

New member

Posts

Joined
Thu May 12, 2016 7:59 pm

Post by websiteworld » Tue Jun 21, 2022 8:01 pm

garyw75 wrote:
Tue Jun 21, 2022 3:31 pm
Just .htaccess the admin to your own IP. Super simple. End of attack.
Restricting access to the /admin folder by IP address regardless of the method or server type is the way to go. This is a good practice anyway and will avoid any other unforeseen future attacks.

User avatar
New member

Posts

Joined
Thu Oct 18, 2012 3:11 am


Post by Joe1234 » Fri Aug 12, 2022 11:38 am

Should this go in an htaccess in the admin folder or in the same directory as the admin folder?
ADD Creative wrote:
Mon Jan 24, 2022 8:00 pm
You could also do the same in htaccess.

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/.*$ - [F]

v3.0.3.9 php 8.1
I'm here for a reason, if your response is contact a/the developer, just don't reply.


Active Member

Posts

Joined
Sat Jan 01, 2022 5:47 am

Post by ADD Creative » Fri Aug 12, 2022 3:55 pm

Joe1234 wrote:
Fri Aug 12, 2022 11:38 am
Should this go in an htaccess in the admin folder or in the same directory as the admin folder?
ADD Creative wrote:
Mon Jan 24, 2022 8:00 pm
You could also do the same in htaccess.

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/.*$ - [F]
It should go in the main folder not the admin. If you did need to put it in the admin folder use the following.

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule .* - [F]

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by JNeuhoff » Fri Jan 27, 2023 10:40 pm

ADD Creative wrote:
Mon Jan 24, 2022 8:00 pm
You could also do the same in htaccess.

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/.*$ - [F]
You seem to be our .htaccess expert here! :)

Question: Would it be possible to redirect these bruteforce requests via .htaccess back to the originating REMOTE_ADDR ? E.g. the equivalent of this in PHP:

Code: Select all

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	if (empty($_GET)) {
		header("Location: http://" . strval($_SERVER['REMOTE_ADDR']));
		exit;
	}
}
?

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by khnaz35 » Fri Jan 27, 2023 10:58 pm

websiteworld wrote:
Tue Jun 21, 2022 8:01 pm
Access to the /admin folder by IP address regardless of the method or server type is the way to go. This is a good practice anyway and will avoid any other unforeseen future attacks.
Here is my 2 Cent for this

Code: Select all

ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ

Order Deny,Allow
Deny from all

#Whitelist Office IP
Allow from xxx.xxx.xxx.xxx
Where xxx.xxx.xxx.xxx is your ip address you can simply find your ip by going to url like: https://ipfinder.us/

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by johnp » Sat Jan 28, 2023 12:31 am

Try installing CIDRAM and setting it to return a 500 error:

https://github.com/CIDRAM/CIDRAM

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by ADD Creative » Sat Jan 28, 2023 1:41 am

JNeuhoff wrote:
Fri Jan 27, 2023 10:40 pm
You seem to be our .htaccess expert here! :)

Question: Would it be possible to redirect these bruteforce requests via .htaccess back to the originating REMOTE_ADDR ? E.g. the equivalent of this in PHP:

Code: Select all

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	if (empty($_GET)) {
		header("Location: http://" . strval($_SERVER['REMOTE_ADDR']));
		exit;
	}
}
?
I wouldn't call myself an expert.

Had a quick look and acording to https://httpd.apache.org/docs/2.4/mod/mod_rewrite.html you can use the Server-Variable %{REMOTE_ADDR} in the RewriteRule.

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/.*$ http://%{REMOTE_ADDR} [R=301,L]
Seemed to work for me when I quickly tested it on a LiteSpeed web server.

One would assume that use htaccess to to block or redirect would be less load on the server then doing it in PHP as the PHP process needn't be started, but I suspect nothing is ever that simple.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by JNeuhoff » Sat Jan 28, 2023 2:15 am

@ADD Creative: Thanks, I'll try it out. Should know in a few minutes, have several sites with this bruteforce attacker, so I can test it very quickly.

Update a few minutes later: Seems to work, now each of the attackers POST-requests is sent back to where it came from:

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/?$ https://%{REMOTE_ADDR}/ [R=308,L]

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by khnaz35 » Sat Jan 28, 2023 9:12 am

JNeuhoff wrote:
Sat Jan 28, 2023 2:15 am
Seems to work, now each of the attackers POST-requests is sent back to where it came from:

Code: Select all

RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/?$ https://%{REMOTE_ADDR}/ [R=308,L]
@ADD Creative will you do a pull request for this to master branch as a security measure ? Offcourse it always depends on Mr. Daniel to merge it.

Btw, i did tested this on one of my live website and notice that SSL stoped working for admin.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by JNeuhoff » Sat Jan 28, 2023 8:52 pm

This one will reduce web traffic even further, with zero bytes 403 responses:

Code: Select all

ErrorDocument 403 %{unescape:%00}
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^admin/.*$ - [F,L]

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member

Posts

Joined
Wed Dec 05, 2007 3:38 am

Who is online

Users browsing this forum: No registered users and 26 guests