With the explosion in web creation tools owning a website is no longer the domain of a select few. Whether you have an online store, a “business card” site or a fan site for your passion setting up a website can be done by almost anyone with a need and a little patience.
What many people fail to realize is that, just like your home PC, a little care is needed if you are to avoid having your website taken over and either vandalized or used as a springboard for spreading viruses. After all which of your friends wouldn’t download something from a website they knew you created?
Think people aren’t attacking your site? A quick look at the sites I have set up showed, without exception, every one of them had logged attempts to log in using brute force password cracking. I know this because I have software installed on these sites that tracks failed attempts to log in and, if they occur often enough (10 tries in my case) then my site will automatically block access from those IP addresses with increasingly long lockouts and sends me a note to let me know about it. Here’s a sample from one of the sites I take care of:
|IP||Tried to log in as|
|18.104.22.168||username (2 lockouts)|
|22.214.171.124||admin (1 lockout)|
|126.96.36.199||admin (3 lockouts)|
|188.8.131.52||admin (2 lockouts)|
|184.108.40.206||admin (1 lockout)|
|220.127.116.11||****** (1 lockout), ***** (1 lockout), admin (1 lockout)|
|18.104.22.168||admin (1 lockout)|
|22.214.171.124||admin (1 lockout)|
|126.96.36.199||admin (1 lockout)|
|188.8.131.52||admin (1 lockout)|
|184.108.40.206||admin (1 lockout)|
|220.127.116.11||admin (1 lockout), administrator (1 lockout), root (1 lockout)|
|18.104.22.168||admin (2 lockouts), administrator (1 lockout), root (1 lockout), user (2 lockouts), ******* (2 lockouts)|
|22.214.171.124||admin (1 lockout), administrator (1 lockout), ****** (1 lockout), ******* (1 lockout)|
|126.96.36.199||administrator (1 lockout)|
|188.8.131.52||administrator (1 lockout)|
|184.108.40.206||administrator (1 lockout)|
|220.127.116.11||administrator (1 lockout)|
|18.104.22.168||administrator (1 lockout), test (1 lockout)|
|22.214.171.124||administrator (1 lockout)|
|126.96.36.199||administrator (1 lockout)|
|188.8.131.52||administrator (1 lockout)|
|184.108.40.206||root (1 lockout), user (1 lockout)|
|220.127.116.11||root (1 lockout)|
|18.104.22.168||root (1 lockout)|
|22.214.171.124||root (1 lockout)|
As you can usernames like admin, administrator, root, and variants of the URL (starred out for privacy reasons) have all been tried. It’s one of the reasons I NEVER use those as either a user id or a password.
Attacks mostly seem to come from the Czech Republic, the Republic of Korea, Ukraine and so on.
Why those places and what are they doing? Who cares? The important thing to realize is that even the website you put together as a memorial to your beloved dog can, and will, be attacked.
The site i pulled the lockout information from is only special to the people that use it. It doesn’t get millions of views, isn’t a political or controversial group, and doesn’t contain any secret information. In fact everything on the site is public. So if they are being attacked then it’s a very good bet that your website is too.
So what can you do about it?
Well you can’t stop people attacking you, but you can make life difficult for them by taking some simple steps.
- The most obvious, and easiest, thing to do is to make sure that you don’t use any common user names or passwords. If your website providers sets up a default user such as Admin when your site is built, change it! Passwords don’t have to be long and hard to remember – two random words like BlueDriver or NotedMarketer will keep people guessing long enough to make them bored. If you use Admin and password because they are easy to remember then you deserve what you get.
- Install software that can lock out repeated login attempts. There are many of these around and they are often free. Install them for some peace of mind and sleep easily knowing that someone isn’t bombarding your website with thousands of login attempts.
- Make sure that you keep your website software up to date. As the HeartBleed bug showed us, no website is foolproof, so make sure that vulnerability are patched regularly.
Those three simple steps alone should keep the vast majority of people at bay. Sure there are are few highly skilled people out there that could get in if they wanted to, but with so many juicy targets for their talents why would they waste their time on your cooking blog? Nope…it’s the equivalent of the thug with a brick that we want to stop and the steps above are the equivalent of a spray can full of mace to those guys.