19 Nov

Web Application Firewalls: Don’t Leave Home Without Them

screenshot of IP blocks

A week of very persistent pests

Brute Force Attacks. Every day some random bot comes along and tries to poke and prod its way into our humble website.   Our site isn’t alone in this, pretty much the golden rule of life on the Internet is simple:

If People Can Access It, Someone will come along and try to break it.

Now of course, a site left on your local computer, where it’s safe and sound, does nobody any good.  It’s hardly useful for much of anything if you don’t put it out on the Internet.. but once you do, the bots will come to play.  Sometimes those bots are only looking for a place to leave their link-laden spam comments, but sometimes they come looking for something a little bit more dangerous.

Sometimes they come looking for a valid login to your site, maybe they want to be able to leave their link spam as a valued member of your community, or maybe they’re after your admin account so they can do any number of naughty things with your website, who knows.  While the goal is unknown and random, the attempt is pretty standard:  They’ll hit your site’s login page repeatedly trying various random usernames/passwords attempting to find a pair that works.

Even if your user accounts have pretty hefty, obscure and hard to guess passwords, on a long enough time-frame, unchecked, they’ll eventually (days, weeks, possibly months or years later) get in.  But even before they get through the door, they can make your day a little less perfect just by their presence.   Every attempt to log into your system is going to generate just a little bandwidth, a few log entries, a little CPU usage, and they don’t just try a handful of times, no, some of the bots are downright brutal in their assault on your accounts resources.  In short, every little slice of CPU they tie up is a little slice of CPU that didn’t go towards serving your real visitors.

Ironically, the bots who ‘hammer’ the hardest are the ones we spot the fastest.  We’ll get an alert that CPU load on a particular server is a bit out of the realm of ‘normal’ for one of our systems, and we’ll investigate.  Usually we’ll get on the box, see the bogus traffic, filter it out at the system firewall level, and watch the load on the box drop.  Sometimes the bot owners have more than one (previously hacked no doubt) system on the Internet that they use to launch their attacks from, so there’s sometimes an element of cat and mouse at play here.

But the “lower, slower” attacks might not send up any red flags at the server-wide level.  This is where something a bit more intertwined with your site can make a big difference.  The trick is, you need a way to be able to identify and shutdown, and at least delay, their antics.  You want to make your site a big enough pain to break into, that they go off looking for easier prey.

How you can accomplish this depends entirely on  the platform your site is built on:

  • WordPress: Wordfence is the 500lb gorilla of WordPress Application Firewall plugins, while All In One WP Security is another very popular solution.  Both of these plugins do far more than just ‘detect and block bad attempts’, but there are other more specialized plugins such as Login LockDown that can give you basic login protection without the overhead and learning curve of the more ‘all encompassing’ security plugins.
  • Drupal, Joomla, and other popular CMS platforms:   Check with your preferred platforms modules/plugins sites, and see what other people are using.  In general, adding a Captcha to your login pages is a good first step, but many platforms will offer something a bit more comprehensive for each platform.
  • Custom Platforms:  A custom website CMS platform, while not immune to this type of attempted attack, is far less likely to have a problem with would-be attackers.  Our old site (built on a custom built content management system) rarely saw bot ‘visitors’ who hammered at it for longer than a couple moments before they gave up and moved on elsewhere.   In general our site’s “uniqueness” in terms of it’s software made it not worth the hassle in general.  Over the years we did see a few targeted attempts to brute force into the site, but those were usually rebuffed by a pretty standard “X bad attempts = account locked out” routine in the login system.

To be fair, the ‘economies of scale’ in ‘website hacking’ tend to make the popular, off the shelf platforms more of a target in these sort of issues.  The simple fact is, if I’m an evil-hacker-type and I want to build a bot script that tries and gain illicit access to people’s sites…. I’m going to target the most popular website platforms I can think of, not the weird little systems that only a handful of sites are using.  It’s simple “targeting in numbers”.

And of course, if your website consists of entirely static content generated ‘offline’ and served from your site as simple html files, these types of attacks are pretty meaningless to you, but you still need to be aware of the possibility of automated password attacks, and do things like ensure your email and cPanel passwords are complex and effective, and, please, rotate them on a regular basis, just in case.