I manage several websites and generally follow industry standard practices to secure and harden these sites. I believe in ‘Defense in Depth’ and so I deploy several security focused products and services which focus on web applications. As many of these sites are run on a very tight budget I use a mixture of free and low cost services. Although the services do not cost much, and in most cases are free, they are still effective as I will demonstrate in the post below.
Most of the sites run on Microsoft’s Azure platform and take advantage of the security at scale Microsoft has implemented on their public cloud service. The websites start on the lower cost shared service but can scale automatically as required without any need for a migration project or additional hardware resources.
I also implement and configure SSL certificates via Cloudflare to encrypt all traffic to and from the sites. Furthermore, I make use of Cloudflare’s proxy firewall service. Sites running WordPress are protected by a security plugin from Sucuri to specifically manage application level security.
Finally, I always try and configure reCAPTCHA for any admin login to thwart any brute-force login attempts. This is especially relevant for WordPress. Below you can see an example of this in practice.
Case Study – A Real World Example
Background and Investigation
As I take an active stance in maintaining websites I manage, I often wake up with my inbox looking like the image below. This example is a WordPress website which has the Sucuri plugin installed and has alerted me to the fact that there were multiple failed login attempts for this website. I will now walk through how each technology is used to protect this site and how I utilize the individual services to create a defense in depth solution.
If I open one of the email alerts I am presented with more than enough information to ascertain the legitimacy of the alert. See image below.
As you can see I have the time and date of the failed login attempt, the website where the breach was attempted as well as the IP address where the login originated. I also have the username that was used during the failed login attempt. What is interesting to note in this specific login attempt is that ‘admin’ was the username tested. This is a real-world example of why you should refrain from using the ‘admin’ username as an administrator on a WordPress site.
Authentication credentials are made up of a username and password. If the username is easily guessed, then the attacker already has 50% of the information required to login to your site. It is quite easy to obtain valid usernames, make no mistake, but rather choose a non-default username to fend off a large percentage of the automated scripts out there. As you can see from another email alert example below, the attacker did eventually obtain a valid username for the site but only after some legwork. Note the time difference between the two attempts – just under 3 hours.
This site is secure as it has reCPATCHA to block any attempt at running a brute-force script against this site so I could leave it and hope the attacker eventually gives up. The password is a 16+ character string of random characters so I am fairly certain it is not in any password dictionary out there. I do however have the problem of a flooded inbox and the outside chance that he could eventually crack the password. Highly unlikely but still possible.
I could disable alerting for failed login attempts on the Sucuri plugin to resolve the flooded inbox issue. This is not ideal as I will no longer be alerted for failed login attempts for this site and would need to go trawl through logs to search for this data. I am however going to block this IP via the Cloudflare proxy firewall I have configured. That will prevent the attacker from gaining access to this site from that IP address. He could just change his IP and continue but I am hoping that this additional block will be a deterrent to any further attempts.
As I am a little curious as to the identity or location of this attacker I use the geoiptool.com and it reports this IP is from the Ukraine and is using fregat.ua as an ISP.
I login to Cloudflare and block this IP address on the IP Firewall. I opt to block it for all websites I manage as it seems to be a malicious individual user based on the DNS information I gleaned from geoiptool.com. Interesting to note that this is not the first IP from that range that I have had to block. See image below.
As soon as I enabled the firewall rule the alerts ceased and my inbox returned to normal.
List of Tools and Services Used
Here is a reminder of the tools I used to protect my sites and how I manage failed login attempts.
- I host on a public service provider and choose Platform as a Service so that I do not have to secure the infrastructure layer in addition to the application and data layers.
- I encrypt all traffic to and from the sites and use Cloudflare for this purpose.
- I channel all traffic through Cloudflare’s proxy firewall service.
- I implement two-factor authentication to mitigate against brute-force attack scripts. In most instances this is reCAPTCHA.
- I install the Sucuri plugin on all WordPress sites I manage and configure it to alert me for any failed login attempts. I also run malware scans periodically using this plugin in the unlikely event that my security has been compromised.
All the services I use in the list above are free except for the hosting of the site.
I hope this illustrates the fact that no matter what the size of your site or budget you can always implement enterprise class cost effective website security.