[dokuwiki] Re: Question about URLs and attempted hacking

• From: Colin McKinnon <colin.mckinnon@xxxxxxxxx>
• To: dokuwiki@xxxxxxxxxxxxx
• Date: Thu, 22 Aug 2013 22:39:51 +0100

On 22 August 2013 01:17, Filippo Salustri <salustri@xxxxxxxxxx> wrote:

> Hi,
> In my apache logs, I find a great number of POST records that are
> apparently successful (code 200)  that all have the same typical form:
>
> /dokuwiki/design:product_strategy?do=login&sectok=
> 893ea2c3407f7489641d20c6a2ab69f6
>
>
The sectok is there to prevent CSRF it changes when the session id changes.

On the face of it, it looks like someone is trying to brute force their way
into your wiki. That they are trying a great number of times suggests
they've not managed to get in.

A standard dokuwiki installation is not particularly resistant to such
attacks - but the same can be said of every install-yourself PHP
application I've come across: securing the login page of a web application
against brute force attacks is really hard without adding additional
software and config.

If you are running on a Linux platform then an easy way to protect against
such attacks is to run fail2ban against your access logs looking for the
do=login pattern (there might also be a version for BSD). This looks for
recurring patterns in log files - when there are X occurrence within Y
seconds then the corresponding IP address is blocked.

Using complex passwords doesn't require additional software/config and is
also very effective.

HTH

C.


> where the page and the token change often but not always.
>
> Now, many of these requests come from IPs that my University knows are
> hives for spambots and crackers.
>
> Should I be worried?
> Is there anything specific I should be watching out for?
>
> Thanks in advance.
> /fas
> \V/_
> Prof. Filippo A. Salustri, Ph.D., P.Eng.
> Email: salustri@xxxxxxxxxx
> http://deseng.ryerson.ca/~fil/
>



-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM d s+:+ a+ C+++(---)$ UL+++ P+(--) L+++ E--- W+++ N++ w-- PS++(+++())
t+ 5+ X R- tv-- b++ DI++ D e+++ h----
------END GEEK CODE BLOCK------

• Follow-Ups:
  • [dokuwiki] Re: Question about URLs and attempted hacking
    • From: Filippo Salustri

• References:
  • [dokuwiki] Question about URLs and attempted hacking
    • From: Filippo Salustri

Other related posts:

• » [dokuwiki] Question about URLs and attempted hacking- Filippo Salustri
• » [dokuwiki] Re: Question about URLs and attempted hacking - Colin McKinnon
• » [dokuwiki] Re: Question about URLs and attempted hacking- Filippo Salustri

1. Home
2. dokuwiki
3. Archive
4. 08-2013

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---