Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
| 110 | 119.75.23.81 |
| 110 | 61.160.232.38 |
| 117 | 117.79.235.90 |
| 133 | 61.160.232.39 |
| 138 | 46.17.97.76 |
| 154 | 61.160.232.22 |
| 183 | 222.186.26.164 |
| 196 | 222.186.25.134 |
| 565 | 220.161.150.70 |
| 825 | 46.17.100.26 |
select count(*) as count, hostname from watchdog where type = 'user' and message like '%Login attempt failed%' group by hostname order by count;
Comments
Comment #1
gregglesIt seems we need a more permanent/ongoing solution for this...
select count(*) as count, hostname from watchdog where type = 'user' and
-> message like '%Login attempt failed%' group by hostname order by count desc limit 10
-> ;
+-------+-----------------+
| count | hostname |
+-------+-----------------+
| 29206 | 60.176.106.86 |
| 110 | 46.17.97.28 |
| 105 | 188.163.66.75 |
| 81 | 220.161.150.114 |
... snipped some for privacy concerns... those who need to know can run the query.
10 rows in set (0.40 sec)
Comment #2
gregglesTo find which account they are after see this:
select distinct hostname, variables from watchdog where hostname = '60.176.106.86' and type = 'user' and message like '%Login attempt failed%'
Comment #3
Gerhard Killesreiter CreditAttribution: Gerhard Killesreiter commentedThe top IP was trying to log in to a spam account that was blocked already.
The next one was also trying to log in to similar accounts.
I guess some scripts were trying this.
Comment #4
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedBlocked a couple more IPs. Seems that the accounts they are trying to log in to don't even exist.
Narayan is working on something that uses mod_sec to block these.
Comment #5
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedNarayan thinks this shoud be handled inside of Drupal. It could potentially set a special http return code which would then be caught by mod_sec and the IP blocked there.
429 looks like a good code for this:
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#429
Comment #6
dddave CreditAttribution: dddave commentedStatus?
Comment #7
lizzjoyWe now have the CDN and don't block IPs so I'm closing this issue.