Close

Update.

A project log for ramanPi - Raman Spectrometer

The open source 3D Printable Raman Spectrometer using a RaspberryPi and easy to find off the shelf components..

flcfl@C@ 05/08/2016 at 17:426 Comments

So.. I figured I'd consolidate the last few logs into this one to make it easier to follow what's going on...

Hackers.. I moved ramanPi.org over to a new host...and it's helped with reliability... But it hasn't stopped the 1,004 malicious login attempts and constant bot traffic trying to overwhelm the site.. I don't have the resources, time or whatever to spend on mitigating the constant attacks...

Soo..... Basically, as a result.. I can't seem to recover anyone's email addresses, etc. If you were interested in developing, or were participating... Contact me here, I know a lot of people have..and I'm trying to keep up.. I'll get to you soon! But I'm thinking of just forming the 'team' here at hackaday.io to make life easier. It's not as organized, and a little restrictive...but it's here.

So, hopefully some of you see this..and so on... Here's to picking up where we left off... :D I'll try to update here with what I can..

Discussions

A. M. Aitken wrote 05/12/2016 at 23:02 point

I'm not a sys admin by any description.  Could you operate with a whitelist?  I suppose it might depend on how the blocking is implimented but if bad IPs are being flatly ignored at a low level that should be efficient.

I get "Advanced blocking in effect".  I'm not sure what that means or what wordfence is.

  Are you sure? yes | no

fl@C@ wrote 05/12/2016 at 23:10 point

Wordfence is one of the security/firewall plugins I have installed on wordpress.. ( 

https://wordpress.org/plugins/wordfence/ )

The Advanced blocking is probably referring to the rules I have set up to block specific ranges.  

I probably could operate with a whitelist.. Would I need to know then who is 'authorized' to access?  I'm not an expert by any means....but it seems that even with the .htaccess blocking so many ranges, it still slows the server from all the attempts...but that could also be my skewed perspective after dealing with this.. lol.  

Maybe another thing I could do along those lines is remove a lot of the redundant blocking rules and clean it up that way as well....adding the whitelist with it.  It's just been so time consuming, not to mention the added cost of the new host as well.. :/

  Are you sure? yes | no

A. M. Aitken wrote 05/13/2016 at 00:07 point

I remembered to hit the right reply button! 

I don't know how a wordpress site even works but I'm wary of an all singing all dancing plugin for a lot of reasons.  If nothing else sending back an error webpage to every blocked IP must use a lot of traffic anyway.  I'd have thought what you needed would be a very simple filter on the shell using as little resources as possible that is just a black hole to outsiders, no ACK.  I have no idea what that would be.  Aside from complex scripts and CPU usage I find that every time I install a new antivirus I get dozens of hits reporting viruses that are 4k demos or packed tools and I need to wade through a lot of dire warnings that seem to have little or no meaning along side a few genuine nuisances.

  I imagine security software that makes users feel like they didn't need to bother installing doesn't sell as well as one that confidently tells you that your bank account was about to be stolen by helloworld.c cross compiled into ARM code.

1000 bad login attempts doesn't sound like a problem unless it's every second.  I'm on one site where 500 login attempts an hour and the whip being cracked over people setting secure and unique passwords was the norm for a while.  I find it really odd they are hitting your site so hard.

I've asked one of the guys that 'firefights' for that site and he said wordfence can be a problem when the log level is set too high.  He also pointed me to https://wordpress.org/support/topic/plugin-wordfence-security-slow which suggests "disabling live traffic".

I wish I could help more.  I was Marvin on the site btw.  I checked progress occasionally but hadn't posted in some time.  It's past midnight so I'm off to sleep now.

  Are you sure? yes | no

fl@C@ wrote 05/27/2016 at 20:16 point

Hey Alexander (Marvin)!  Sorry it took me so long to get back...  Thank you, that's a lot of good information!  I agree, all the traffic it's generating just replying back is probably a huge part of the load..  Originally I didn't know it replied back, I was thinking it'd just return a 403 Forbidden up... doesn't sound like it is... :/  

I'm pretty much a wordpress novice....and I agree...one plugin that claims to do it all is probably not optimal....and the free version at that.. I'm a little unsure where to go from here tho.. I will definitely try the url you listed about turning off the live traffic feature...

I'm not sure if I have shell access on this host, I will check that too..  I'd love to get it back up and going...!

  Are you sure? yes | no

A. M. Aitken wrote 05/12/2016 at 22:48 point

This is a really shitty thing.  I'd heard you'd had a hack of the site, I didn't realise it was still going on.  Do the bots have blockable IP ranges?

  Are you sure? yes | no

fl@C@ wrote 05/12/2016 at 22:55 point

Thanks Alexander..  I totally agree.... It is definitely unfortunately still going on...  I spent many many hours over the past week trying to keep up and block IP ranges.. They were coming in so fast I had to keep two windows open so I could track the incoming IPs and block them without having to spend the time going back and forth..  Eventually, it became pretty apparent that they were coming from literally everywhere.. Mostly LA, Buffalo NY, China, Ukraine, and a bunch more.. I even went so far as to narrow it to a very small range and block everything else...they still come in.  I'm not sure what to do really.. Currently, I don't think anyone can access the site because so much is being blocked.  And they are still hitting so fast that it makes the response time horrible..  

  Are you sure? yes | no