By default, Nmap scans the most common 1,000 TCP ports. How does it decide which ones, what coverage does that result in, and what are the ramifications for real world port scanning? Let’s look at the actual numbers behind Nmap’s top ports. …
Just putting out an updated chart showing how this has performed through several additional months of operation. I’ve previously covered what’s happening here in detail when I began to sustain a high volume of attacks, when I implemented the fail2ban based countermeasures, and when I checked in on how the traps were performing four months ago. …
Following up on my deployment of WordPress XML-RPC attack countermeasures a few months ago, let’s have a look at how effectively the traps have performed in live operation in the intervening time. …
In my last post I began inquiring into the WordPress XML-RPC attacks I’ve been sustaining here on the site. Since then I’ve been further studying the threat and experimenting with responses, and I have now developed working countermeasures and cast them into live operation. These countermeasures involve forwarding telemetry out of WordPress for pickup by the fail2ban facility, allowing for the detection and banning of attackers trying to exploit xmlrpc.php. Where other recommendations call for disabling affected methods or the whole XML-RPC subsystem, my more refined techniques control attacks while maintaining the full service set in operation for valid procedure calls. …
I’ve been experiencing the same increased frequency of attacks against WordPress’ integrated XML-RPC service in recent months as reported by many other site operators. The attacks have been covered well elsewhere, but I wanted to chronicle what I’m seeing and share some remarks. …
Two previous rounds of analysis using IP geolocation with Whois (Part 1 and Part 2) revealed that 40% to 45% of network intrusion attempts arriving at my public-facing SSH port could be traced back to Chinese hackers, and 20% to 25% to attackers in Russia and Eastern Europe. The tally is now in from a third round of observations, boasting a significantly longer integration period (more than four months versus about six to seven weeks in the earlier rounds) and yielding plenty of interesting and even unexpected results. …
Late breaking articles from the New York Times and Wall Street Journal this evening caught my eye, wherein one seriously pissed off Google Inc opens up a surprisingly hard line against Beijing: …
Time to tally up the new results since my last report on network intruder geolocation using Whois. Will the trend showing two-thirds of attackers as hailing from China, Russia and the former Soviet bloc hold for this new integration period? Place your bets. …
Let’s have a look at who’s been trying to break into SSH service on my development server recently, and where in the world they’re attacking from. Since I implemented fail2ban to trap out these attempted dictionary attacks, it’s logged the network addresses of all the culprits. Here’s who got caught in recent activity: …
Network intrusion threats ran rampant and unchecked on the internet, invisible to most users. You may see no apparent signs of the automatic probes directed at your computer network, arriving around the clock, scanning for potential entry points. But they are occurring, maybe right now. Any exposed service may be expected to be quickly discovered and subjected to attack. …
