Discussion:
[TYPO3-english] brute force attacks on backend
Stephan Bernhard
2013-09-12 04:37:40 UTC
Permalink
hi list

since yesterday morning i suffer from continuous brute force attacks
with varying IPs on the backend (not FE).

it seems that there is no EXT to stop those IPs from inside a
TYPO3-installation, right?

thanks for any hint and help

stephan
Peter Kühnlein
2013-09-12 04:45:59 UTC
Permalink
Post by Stephan Bernhard
hi list
since yesterday morning i suffer from continuous brute force attacks
with varying IPs on the backend (not FE).
it seems that there is no EXT to stop those IPs from inside a
TYPO3-installation, right?
thanks for any hint and help
stephan
_______________________________________________
TYPO3-english mailing list
TYPO3-english at lists.typo3.org
http://lists.typo3.org/cgi-bin/mailman/listinfo/typo3-english
hi stephan,

if you are using a single (range of) ips to access the backend yourself,
you might try to use the .htaccess with a

order:deny,allow
deny:all
allow:IP(RANGE)

for the backend... not sure how it would have to look like exactly (you
will need some more lines and make sure not to block access to the
frontend), but this would seem to be the obvious to me.

be safe
peter
--
http://function2form.net
http://peter-kuehnlein.net

"Matters of small concern should be treated seriously."
(Hagakure)
Stephan Bernhard
2013-09-12 05:09:11 UTC
Permalink
@ peter
Post by Peter Kühnlein
you might try to use the .htaccess with a
order:deny,allow
deny:all
allow:IP(RANGE)
that's what i do since the attack began:

Deny from (IP)

this is easy, of course, and works seemless.
unless the attacker changes his IPs more frequently.

stephan
Peter Kühnlein
2013-09-12 05:20:23 UTC
Permalink
Post by Stephan Bernhard
@ peter
Post by Peter Kühnlein
you might try to use the .htaccess with a
order:deny,allow
deny:all
allow:IP(RANGE)
Deny from (IP)
this is easy, of course, and works seemless.
unless the attacker changes his IPs more frequently.
stephan
yep stephan,

but denying all and allowing only your own IPs for the backend would
keep the attacker out, even if they changed the IPs. just make sure the
rule matches the backend only.

alternatively, the install tool has a section in [BE] called
[IPmaskList], which might be of help.

quote: "String: Lets you define a list of IP-numbers (with *-wildcards)
that are the ONLY ones allowed access to ANY backend activity. On error
an error header is sent and the script exits. Works like IP masking for
users configurable through TSconfig. See syntax for that (or look up
syntax for the function t3lib_div::cmpIP()) "

cheers,
peter
--
http://function2form.net
http://peter-kuehnlein.net

"Matters of small concern should be treated seriously."
(Hagakure)
Markus Klein
2013-09-12 08:10:25 UTC
Permalink
Hi!

We recently had the same discussion on the Austrian list.

Some useful links from this thread:
http://www.abaton.at/downloads/typo3/T3X_aba_bruteforceblocker-manual.pdf
http://www.abaton.at/downloads/typo3/T3X_aba_bruteforceblocker-latest.t3x

http://typo3.org/extensions/repository/view/beko_improved_login (needs a 6.x port, get in touch with the author)
--
Kind regards
Markus

------------------------------------------------------------
Markus Klein
TYPO3 CMS Active Contributors Team Member
Stephan Bernhard
2013-09-12 12:25:45 UTC
Permalink
@ markus
Post by Markus Klein
Hi!
We recently had the same discussion on the Austrian list.
http://www.abaton.at/downloads/typo3/T3X_aba_bruteforceblocker-manual.pdf
http://www.abaton.at/downloads/typo3/T3X_aba_bruteforceblocker-latest.t3x
http://typo3.org/extensions/repository/view/beko_improved_login (needs a
6.x port, get in touch with the author)
thanks for the links.

the EXT aba_bruteforceblocker ist not any more in the respository
(thanks for the download link for the t3x file).

i use TYPO3 4.5.xx -is this EXT compatible with this version?

and how about EXT beko_improved_login?

stephan
Stephan Bernhard
2013-09-12 12:28:20 UTC
Permalink
@ peter
Post by Peter Kühnlein
but denying all and allowing only your own IPs for the backend would
keep the attacker out, even if they changed the IPs. just make sure the
rule matches the backend only.
alternatively, the install tool has a section in [BE] called
[IPmaskList], which might be of help.
quote: "String: Lets you define a list of IP-numbers (with *-wildcards)
that are the ONLY ones allowed access to ANY backend activity. On error
an error header is sent and the script exits. Works like IP masking for
users configurable through TSconfig. See syntax for that (or look up
syntax for the function t3lib_div::cmpIP()) "
since there are quite a few BE-users in my installations, i don't know
from which IPs they log in.

so this solution will unfortunately not work...

stephan

Loading...