Just my twopence and what we did. It might help someone. We are not server techies but this worked for us.
We have 3 servers that have several hundred installations of Opencart on them and they are all being hammered and have been for a while. The servers have fallen over a few times due to the load. Its around 600-800 IPs hitting each server.
There are various methods of attack by the looks of the logs, so we think there are different versions of the brute force script in circulation. We have seen one that first connects to the admin page and then attempts a password so the blank referer PHP code in this thread doesn't work and the plugin in the marketplace isn't effective. Obviously still install it as it does help.
Weirdly which ever method/script they are using the Useragent is always the same which makes me think the script circulating might be encoded. The script kiddies cant change it. Lets face it, if you cycle the Useragent in your code, its going to be a lot harder for people to block.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
It was pretty impossible for us to connect everyone to Cloudflare so we were just brutal with the following block using Apache to get the servers back under control.
We blocked "Ubuntu" to immediately mitigate the script and in case the browser part of the Useragent changed. Yes, it will block who ever will be using Ubuntu to browse your shop but don't worry, that one bloke wont buy anything ;-)
If you are just protecting one site then you can specify <Directory "/home/whatever/admin"> but since we had about a hundred on each server we put this into the Apache conf:-
Code: Select all
<Directory "/">
SetEnvIfNoCase User-Agent "Ubuntu" bad_bots
<RequireAll>
Require all granted
Require not env bad_bots
</RequireAll>
</Directory>
The next bit is a little rudimentary and a server techie could probably do something in Bash to achieve the same thing.
You need to be running a firewall. We use CSF but any will work.
Go into your logs folder and grep all the logs for the Useragent :-
[root@host domlogs]# grep -r "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" * > block.csv
This gave us about 500k lines in the block.csv file
Import this CSV into Excel and choose the delimiter that is directly after the IP. Ours was a - (This will be different from server to server)
This will put all the IP's in the first column of the Excel sheet. We then removed the duplicates (Google how)
We then added those IP's into the block file of our CSF filewall so they are blocked reducing the load on the machine
Any new IP's hitting the admin gets a 403 forbidden server error due to the Apache block.
Our server load went from over 60 back down to under 3 again pretty quickly
178.62.213.36 - - [20/Jun/2022:13:06:24 +0100] "GET / HTTP/1.1"
403 - "
https://www.co.uk/admin/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
A bit hack and slash I have to admit and someone that knows what they are doing would probably offer some tips to improve it.