[Sticky] Forum Updates December 25th 2019

Posted by: @robo-pi

As to the purpose of these fake accounts, I also have no clue.

That makes two of us. But after taking nearly 1000 off and going to manual registration we are much better off. It's more work on my end (I spent my entire birthday last week making forum accounts LOL), but thanks to the amazing @Codecage I now have some assistance.

Posted by: @egers

I don't know much about hacking, but why would someone care to hack into the website or the forum? What are they attempting to get?

Could be a lot of things. They might just want to destroy it or, more likely, take it over. I have a friend who had her site turned into a phishing site for a bank in Uraguay, this is where they would send the people who were foolish enough to respond to the fake emails they sent them.  By hacking another site they don't leave a trace as to the real scammers' identity when Interpol comes looking for them.

When I worked for an educational software company in Hawaii we had our server hacked and were even able to trace it back to a location in China. But after that what can you do?  I doubt the Chinese government would really care to prosecute someone who hacked a small company in Honolulu.

The attempts on the main site skyrocketed on Christmas Eve, right before I took it down for maintenance. I generally get about 1,000 hacking attempts per day, I've owned over 200 websites so I expect that. But on December 24th I received over 11,000 attempts - that is NOT a typo!  All of them were amateurish and easily defended against, I think a spam-bot was just "stuck".  

In order to use Jetpack with the site, I had to leave XML-RPC enabled, now I've reconfigured my .htaccess file to only allow Jetpack IP addresses to access it. Since I've done that I've only got about 300 attempts per day, quite an improvement. Most of those 11,000 attempts that day were via XML-RPC.

The updates I've done, and am still doing (the main website still has a problem with the Redis cache) should help. but nothing stops them from trying.  It's just part of the business of running a website, I'm used to it.

And I've now increased my backup frequency to once every 6-hours, so if someone DOES kill the forum the worst-case scenario is that we lose 6 hours of data.

Posted by: @zeferby

A lot of hackers test their teeth on any new/moved Wordpress site they can find, since there is a better chance for these sites to not yet be protected (and some of these guys are scanning every known IP from known WP-hosting companies).

Back when I used to record tutorials for the Warrior Forum I built a test site, as part of a lesson on installing WordPress. An hour after I finished filming it I went to delete it, only to find it had already been hacked! An unknown site on a test domain that had been active for less than three hours! And that was back in 2011, they are now much more sophisticated.

For the record I don't host on a "well-known WP-hosting company", I have a Cloud VPS. But finding my site is simple, all you need is Google!

Posted by: @robo-pi

How in the world do you tell the difference between a valid account and a faked account so easily?  Bill surely didn't go through these one-be-one deciding which are real and which are fake?

They all followed a specific pattern. But I cannot take the credit for finding most of them, Codecage did some amazing work it finding and banning most of them. He did the "heavy lifting", all I needed to do was hit the "Delete" button - 10 times, as you can only delete up to 100 at the same time.

Posted by: @egers

Also, what are they doing and how are you blocking them? I know nothing about cybersecurity, and I am trying to learn.

You'll understand, I hope, that I can't go into specific details on a public forum. But one thing that is common is that they figure out the site is WordPress (which is pretty easy to do) and then try every possible username under the sun on the standard WordPress login page. But, to foil that attempt, I have moved my login to a page whose URL nobody could ever guess. And if I detect someone trying to login on the standard login page I block their IP address.

I also use TFA and a password with 24-characters, which I change every month.  On the page they can never find!

Of course, I can't do this on the forum, as to login all you do is hit the "login" link!

Posted by: @spyder

Obviously I should no longer trust MASH for my education on foreign traditions.

I guess not! And I suppose that Amelia Erhardt didn't actually get abducted by aliens and sent to the Delta Quadrant.  Even though I learned that on Star Trek Voyager!

? 

Bill

Posted by: @dronebot-workshop

I spent my entire birthday last week making forum accounts LOL

Happy Birthday!

Posted by: @dronebot-workshop

But one thing that is common is that they figure out the site is WordPress (which is pretty easy to do) and then try every possible username under the sun on the standard WordPress login page.

Don't these systems have a blocker that stops you from entering usernames/passwords at a specific rate, so it could take years for a bot to get the right one?

Posted by: @egers

Don't these systems have a blocker that stops you from entering usernames/passwords at a specific rate, so it could take years for a bot to get the right one?

Yes, of course. And as I moved the login URL they can try until the Sun goes nova, they will never get in.  In addition, after 3 attempts I block the IP address for 4 hours, another three its 96 hours and the address is reported to a central database that tracks these activities from websites worldwide. And I get that data as well, so some IP addresses never even get to the site, they are blocked automatically.

Because of all this, I'm not particularly concerned about someone hacking the site. But each of these hopeless attempts consumes resources, and when you get a mass-attack of these things it makes the server very slow. And keep in mind it's the same server that I use for the forum as well, so both sites suffer.  That's the real issue.

The Christmas Eve bot (I'm assuming it's a bot, no human could sit there doing this all day) tried the same three login names and then got locked out. So within a second, it returned, using the same three names but with a different IP address. And the pattern continued. By switching IP addresses (which they are probably spoofing) they can keep trying all day.

This happens all the time. I get an email after 100 failed attempts, so on an average day, I get about 10 emails. On Christmas Eve I received 110 emails! So if anyone tried to email me that day I may have missed your mail.

My upgrade consisted of doubling the server's memory, adding another CPU and also adding hard drive space, the latter because the forum now takes twice the drive space that the main site does (mostly due to the images loaded on it, which is to be expected). I called it a "server move" but as it is a cloud VPS nothing actually moved, it was just dynamically reallocated.  Which is why I kept the same IP address and didn't need to regenerate my security certificate.

As long as I have backups I'm not overly concerned.

 ?

Bill 

@dronebot-workshop

Sometimes, new technology introduces more and even too much complexity, often introducing and exposing new back doors, etc... thus making it a lot harder to defend your site.  PHP is not considered a language that offers the greatest of security, which WordPress is built upon.

I'm aware of some pretty robust websites that have been built using C++, which is, if one of, if not the most secure languages out there, as well as being fast... hackers will struggle to compromise it, but it requires a lot of coding to implement it, and depending on what you're trying to protect, the trade off in coding may be just what the doctor called for 😉

Happy New Year, Bill!

Posted by: @frogandtoad

PHP is not considered a language that offers the greatest of security, which WordPress is built upon.

Agreed. One of my upgrades was upgrading the version of PHP, which in turn broke a number of features on the main site. The forum survived without a hiccup, which is why I brought it back online first.

Posted by: @frogandtoad

depending on what you're trying to protect, the trade off in coding may be just what the doctor called for

The keyword there is "tradeoff". The advantages of using a CMS like WordPress far outweigh the disadvantages for what I'm using it for. My primary purpose is to deliver content to fine folks like you, not to be a webmaster. I pay extra every month for a service to manage the webserver, not because I haven't got the skills to do it myself, but because my focus is on creating content and I want to focus on that.  I bought a theme, not because I can't code HTML, Javascript, and PHP, but because it saved time and I can focus my attention on creating content.  I use to make money creating and selling WordPress plugins, now I purchase them myself - again because it saves time.

My website is the #1 most important asset that the DroneBot Workshop has, this forum is number two and YouTube ranks third - and it's tied with the mailing list.  Although most of my audience has discovered me on YouTube I know from experience (I've been making my revenue online part or full-time since 1998) that you focus on the assets you own, not the ones you piggyback on. YouTube could change it's policies tomorrow and my channel could be demonetized or wiped out - unlikely in my niche, but you never know - look at what is happening right now with the "family-friendly" channels and COPA.  But I OWN the website and forum, and nobody can take them away from me.

Not even a bunch of pathetic hackers with nothing better to do than to hack a website about Arduinos and Robots!

?

Posted by: @frogandtoad

Happy New Year, Bill!

And a very Happy New Year to you as well, and to EVERYONE here who have helped make this forum what it is, who have followed me on the website and YouTube and who have stuck with me despite the inconsistencies I've had lately putting out content.  I'm looking forward to an amazing 2020, and I wish all of you the same.

?

Bill