As is my usual pattern, when I wake up I grab my Android tablet and check emails and the server to make sure everything is OK.
This morning there was not a single email! Most unusual and I panicked, but all that was happening was that there wasn’t a single email – joy!
Then I checked the load on the server. As explained in an earlier post anything under 4.0 is good, more than that and there is a bit of a traffic jam with requests being processed. My usual routine of checking up on everything from the comfort of my warm bed was shattered when I saw that the load was 70.0! CRAP!
Ouch!
Out of bed, start computer and check what is going on – at least it wasn’t too cold. I find that the server is getting hammered from the Ukraine with someone trying to get into lots of wordpress blogs via their /wp-admin link. First thing I do is block that IP address and within seconds the load starts dropping and it is back at 2.6 pretty quickly.
In the middle of all this I receive an email from WordFence about the same IP address:
A user with IP address 195.154.236.232 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: ‘Admin’
Couple of things about this; Wordfence seems to be a good idea and I am glad I recommended (and implemented) it. ‘admin’ is a bad username for WordPress.
Then I ask myself a question “Seriously, how many people from the Ukraine are going to visit websites on my server?” Likely none, so I blocked a range of IP addresses and hope that will keep them at bay for a short while :o(
Sorry Ukrainians
Geekiness warning: Here is what the auto blocking software log looks like. It shows why addresses are blocked & where they are from. SMTP AUTH is people trying to send spam through the server and failing authentication.
124.106.69.117 # lfd: (smtpauth) Failed SMTP AUTH login from 124.106.69.117 (PH/Philippines/-): 10 in the last 3600 secs – Sun Jun 28 05:51:51 2015
217.76.70.48 # lfd: (smtpauth) Failed SMTP AUTH login from 217.76.70.48 (KZ/Kazakhstan/-): 10 in the last 3600 secs – Sun Jun 28 05:53:46 2015
178.168.197.242 # lfd: (smtpauth) Failed SMTP AUTH login from 178.168.197.242 (BY/Belarus/-): 10 in the last 3600 secs – Sun Jun 28 06:05:07 2015
125.40.219.238 # lfd: (ftpd) Failed FTP login from 125.40.219.238 (CN/China/hn.kd.ny.adsl): 10 in the last 3600 secs – Sun Jun 28 06:05:52 2015
1.53.190.176 # lfd: (smtpauth) Failed SMTP AUTH login from 1.53.190.176 (VN/Vietnam/-): 10 in the last 3600 secs – Sun Jun 28 06:18:12 2015
125.63.66.243 # lfd: (smtpauth) Failed SMTP AUTH login from 125.63.66.243 (IN/India/125.63.66.243.reverse.spectranet.in): 10 in the last 3600 secs – Sun Jun 28 06:39:48 2015
46.216.31.232 # lfd: (smtpauth) Failed SMTP AUTH login from 46.216.31.232 (BY/Belarus/-): 10 in the last 3600 secs – Sun Jun 28 06:43:27 2015
5.39.223.29 # lfd: (smtpauth) Failed SMTP AUTH login from 5.39.223.29 (NL/Netherlands/-): 10 in the last 3600 secs – Sun Jun 28 06:47:05 2015
195.154.236.232 # Manually denied: 195.154.236.232 (FR/France/195-154-236-232.rev.poneytelecom.eu) – Sun Jun 28 06:58:31 2015
37.213.233.53 # lfd: (smtpauth) Failed SMTP AUTH login from 37.213.233.53 (BY/Belarus/-): 10 in the last 3600 secs – Sun Jun 28 07:02:21 2015
86.98.4.198 # lfd: (smtpauth) Failed SMTP AUTH login from 86.98.4.198 (AE/United Arab Emirates/-): 10 in the last 3600 secs – Sun Jun 28 07:04:11 2015
178.125.50.31 # lfd: (ftpd) Failed FTP login from 178.125.50.31 (BY/Belarus/mm-31-50-125-178.mfilial.dynamic.pppoe.byfly.by): 10 in the last 3600 secs – Sun Jun 28 07:05:37 2015
176.219.134.37 # lfd: (ftpd) Failed FTP login from 176.219.134.37 (TR/Turkey/-): 10 in the last 3600 secs – Sun Jun 28 07:22:32 2015
173.208.222.98 # lfd: (smtpauth) Failed SMTP AUTH login from 173.208.222.98 (US/United States/-): 10 in the last 3600 secs – Sun Jun 28 07:41:04 2015
169.159.118.240 # lfd: (smtpauth) Failed SMTP AUTH login from 169.159.118.240 (NG/Nigeria/-): 10 in the last 3600 secs – Sun Jun 28 07:50:25 2015
46.29.255.122 # lfd: (smtpauth) Failed SMTP AUTH login from 46.29.255.122 (US/United States/ptr122.ctreplacementswindows.com): 10 in the last 3600 secs – Sun Jun 28 07:50:30 2015
37.208.170.201 # lfd: (ftpd) Failed FTP login from 37.208.170.201 (QA/Qatar/-): 10 in the last 3600 secs – Sun Jun 28 07:52:10 2015