To start — I’m an enthusiastic user of Simple Firewall. But… I’m …

By 10th April 2020 Uncategorised

Comment on Beware New WordPress Security Theat: The WordPress Misinformation Virus by Mike O’Connor.

To start — I’m an enthusiastic user of Simple Firewall.

But…

I’m also interested in, and agree with, Neal Beattie’s comment above. About once a day my little Mac Mini server gets crushed with a single-IP attacker who just bangs away on a site. Simple Firewall definitely reduces the load on the server, but eventually msSQL slowly caves and the only solution is to put a single-IP blocking rule in the firewall (and restart mySQL).

Neal, if you’re listening, I’d love to hear more about your application firewall if it’s made its way to market.

Bye for now, my box just got its “morning attack” and I need to go put the block in.

Mike O\’Connor Also Commented

Beware New WordPress Security Theat: The WordPress Misinformation Virus
Back again. Here’s a snippet of the log that I saw when I logged into that box:

sap.org 162.144.39.67 – – [16/Jul/2015:10:12:20 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
sap.org 162.144.39.67 – – [16/Jul/2015:10:12:20 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
sap.org 162.144.39.67 – – [16/Jul/2015:10:12:20 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
sap.org 162.144.39.67 – – [16/Jul/2015:10:12:22 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
sap.org 162.144.39.67 – – [16/Jul/2015:10:12:22 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
sap.org 162.144.39.67 – – [16/Jul/2015:10:12:22 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
sap.org 162.144.39.67 – – [16/Jul/2015:10:12:23 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”
sap.org 162.144.39.67 – – [16/Jul/2015:10:12:23 -0500] “POST /wp-login.php HTTP/1.0” 500 3066 “-” “-”

that SAP.ORG site is one of about a dozen that I’m running on that little server and the Simple Firewall is configured to block brute-force attacks. But this attack seems to be at a lower level than Simple Firewall can detect and thus the server starts delivering “unable to connect to database” errors on all sites.

Any thoughts about what to do about this kind of an attack?