I have installed Wyomind's extension to record attempted logins to my magento site. I have seen over 10,000 attemped logins which appear to be based on a dictionary style name attack every two minutes. When I view the extensions details it is stating that the logins are occuring at /downloader/index.php?A=loggedin and are coming from the IP address of my server i.e. the same IP address that my site is hosted on. I have checked the raw access logs and these appear to tally with the extension suggesting the extension is providing the correct information.
Is this a rouge extension on my server trying to gain access or is it something I should not worry about?
Any advice would be greatly appreciated.
Solved! Go to Solution.
Not sure as to why they're appearing to come from your server address, unless you're on a shared server, one of the accounts has been compromised and somebody's using curl or htget with a script to automate the dictonary attack directly from the server.
10,000 tries on a dictionary attack is nothin', they have the whole dictionary to try, and Magento has no security against it unless you have a module that watches, records bad attempts and more importantly, locks down the backend access when the login retries exceed a certain amount.
Do the following to protect your admin backend and download utility, neither of which should be exposed to any more than a number of addresses you can count on one hand. The random ip address access from a coffee shop anywhere in town " 'cause ya just need ta check the graph to see how many sales you made in the last 30 minutes" is a pipe dream in today's security environment.
Use .htaccess to limit by ip range, who can access the following URLs
Change your admin url in app/etc/local.xml if you already haven't.
Thanks for taking the time to write such a detailed reply, it's really appreciated.
I will follow your advice and restrict the IP range and move the admin login. I will also contact my host to see if there is anything they can dig up.