As is my usual pattern, when I wake up I grab my Android tablet and check emails and the server to make sure everything is OK.

This morning there was not a single email!  Most unusual and I panicked, but all that was happening was that there wasn’t a single email – joy!

Then I checked the load on the server.  As explained in an earlier post anything under 4.0 is good, more than that and there is a bit of a traffic jam with requests being processed.  My usual routine of checking up on everything from the comfort of my warm bed was shattered when I saw that the load was 70.0!  CRAP!

Out of bed, start computer and check what is going on – at least it wasn’t too cold.  I find that the server is getting hammered from the Ukraine with someone trying to get into lots of wordpress blogs via their /wp-admin link.  First thing I do is block that IP address and within seconds the load starts dropping and it is back at 2.6 pretty quickly.

In the middle of all this I receive an email from WordFence about the same IP address:

A user with IP address 195.154.236.232 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: ‘Admin’

Couple of things about this; Wordfence seems to be a good idea and I am glad I recommended (and implemented) it.  ‘admin’ is a bad username for WordPress.

Then I ask myself a question “Seriously, how many people from the Ukraine are going to visit websites on my server?”  Likely none, so I blocked a range of IP addresses and hope that will keep them at bay for a short while :o(

Sorry Ukrainians

Geekiness warning:  Here is what the auto blocking software log looks like.  It shows why addresses are blocked & where they are from. SMTP AUTH is people trying to send spam through the server and failing authentication.

124.106.69.117 # lfd: (smtpauth) Failed SMTP AUTH login from 124.106.69.117 (PH/Philippines/-): 10 in the last 3600 secs – Sun Jun 28 05:51:51 2015
217.76.70.48 # lfd: (smtpauth) Failed SMTP AUTH login from 217.76.70.48 (KZ/Kazakhstan/-): 10 in the last 3600 secs – Sun Jun 28 05:53:46 2015
178.168.197.242 # lfd: (smtpauth) Failed SMTP AUTH login from 178.168.197.242 (BY/Belarus/-): 10 in the last 3600 secs – Sun Jun 28 06:05:07 2015
125.40.219.238 # lfd: (ftpd) Failed FTP login from 125.40.219.238 (CN/China/hn.kd.ny.adsl): 10 in the last 3600 secs – Sun Jun 28 06:05:52 2015
1.53.190.176 # lfd: (smtpauth) Failed SMTP AUTH login from 1.53.190.176 (VN/Vietnam/-): 10 in the last 3600 secs – Sun Jun 28 06:18:12 2015
125.63.66.243 # lfd: (smtpauth) Failed SMTP AUTH login from 125.63.66.243 (IN/India/125.63.66.243.reverse.spectranet.in): 10 in the last 3600 secs – Sun Jun 28 06:39:48 2015
46.216.31.232 # lfd: (smtpauth) Failed SMTP AUTH login from 46.216.31.232 (BY/Belarus/-): 10 in the last 3600 secs – Sun Jun 28 06:43:27 2015
5.39.223.29 # lfd: (smtpauth) Failed SMTP AUTH login from 5.39.223.29 (NL/Netherlands/-): 10 in the last 3600 secs – Sun Jun 28 06:47:05 2015
195.154.236.232 # Manually denied: 195.154.236.232 (FR/France/195-154-236-232.rev.poneytelecom.eu) – Sun Jun 28 06:58:31 2015
37.213.233.53 # lfd: (smtpauth) Failed SMTP AUTH login from 37.213.233.53 (BY/Belarus/-): 10 in the last 3600 secs – Sun Jun 28 07:02:21 2015
86.98.4.198 # lfd: (smtpauth) Failed SMTP AUTH login from 86.98.4.198 (AE/United Arab Emirates/-): 10 in the last 3600 secs – Sun Jun 28 07:04:11 2015
178.125.50.31 # lfd: (ftpd) Failed FTP login from 178.125.50.31 (BY/Belarus/mm-31-50-125-178.mfilial.dynamic.pppoe.byfly.by): 10 in the last 3600 secs – Sun Jun 28 07:05:37 2015
176.219.134.37 # lfd: (ftpd) Failed FTP login from 176.219.134.37 (TR/Turkey/-): 10 in the last 3600 secs – Sun Jun 28 07:22:32 2015
173.208.222.98 # lfd: (smtpauth) Failed SMTP AUTH login from 173.208.222.98 (US/United States/-): 10 in the last 3600 secs – Sun Jun 28 07:41:04 2015
169.159.118.240 # lfd: (smtpauth) Failed SMTP AUTH login from 169.159.118.240 (NG/Nigeria/-): 10 in the last 3600 secs – Sun Jun 28 07:50:25 2015
46.29.255.122 # lfd: (smtpauth) Failed SMTP AUTH login from 46.29.255.122 (US/United States/ptr122.ctreplacementswindows.com): 10 in the last 3600 secs – Sun Jun 28 07:50:30 2015
37.208.170.201 # lfd: (ftpd) Failed FTP login from 37.208.170.201 (QA/Qatar/-): 10 in the last 3600 secs – Sun Jun 28 07:52:10 2015

I am not very big on authority.  Ms 123host constantly points out how I love breaking rules.

So I am pretty easy going with most 123host rules.

If you are hosted with anything other than a small hosting company you can expect rules to be enforced without exception, without review, without any human intervention.  It is all automatic, they don’t care much about individuals and their circumstances.

I am different.  I rarely enforce bandwidth or quota limits, I will give you a bit more or look to see what is causing excessive use.  Until it gets out of hand I am willing to cut customers a bit of slack, it is part of the 12ehost great service philosophy and engenders loyalty and good word of mouth.

So it always pains me to have to write a “last chance” email letting someone know that if they don’t pay a month overdue invoice I am going to delete all their hard work.

The truth is that if she got back to me and said anything – “my mother is sick”, “I am having a baby”, “the dog ate my PayPal account” – I would be open to working something out.  Silence is the problem.

But there is one area I don’t compromise, security.  If your site in any way compromises the server it will be suspended.  Yes, I will work with you to figure out the problem, but security rules.

Them’s the rules.