Announcement

Collapse
No announcement yet.

Wordfence block brute force but Immunify not detecting

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wordfence block brute force but Immunify not detecting

    Ive been running Immunify360 for about 6 months now and I still have not seen any Wordpress related intrusion detection for any Wordpress websites and we host a lot of them.

    A Wordpress website I manage shows 10 blocked IPs in past 30 days which Immunify did not detect in the Incident report but a few of the IPs showed up under Grey List which offers no explanation. Im not sure if these IPs are there because of something that happened on my server or if its part of global Grey List.

    IM360 seems to do a great job of detecting ftp brute force attacks and show other server events which are important but ftp is not my primary concern since passwords are tough and difficult to crack and I could use CSF alone for that. Its good to have those IPs blocked but I am not seeing blocks for Wordpress intrusions at all and I should have by now.

    My PRIMARY concern is Wordpress ID and blocking them and I know that the Wordpress sites I host are being attacked and probed so somewhat disappointed that IM360 isnt doing more to block these attacks and report on them.

    Any thoughts?

  • #2
    If you have seen just 10IPs in 30 days --> It means the Imunify360 works.
    There are about 40,000 to 60,000 IPs in the grey list daily (about 10-20K of them change every day). Around 20K of them related to WordPress (and another 20K are related to mail). You will not see any incidents for WordPress from those IPs -- in wordfence or anywhere (unless they came in few times before we grey listed them). That is because we stopped them earlier, at the firewall level.
    The fact that we missed 10 might or might not be bad. First of all, it should be a very small fraction of all IPs that attack your server. Another thing - WordFence blocks/warns about a lot of things that are benign/dont really attack. Or we might have blocked them after the first few requests (like with brute force - if we havent seen those IPs yet). If you would, like -- send us the IPs, and we will verify.

    Comment


    • #3
      My apologies. I think I understand this better. Heres the list of IPs blocked by Wordfence:

      Not Found in IM360 Grey List

      46.229.173.66 United States United States 149
      52.8.35.37 United States United States 3
      59.51.167.112 China China 1

      Found in IM360 Grey List

      163.53.183.34 Bangladesh Bangladesh 1
      117.40.136.150 China China 1
      200.122.184.5 Costa Rica Costa Rica 1
      220.178.177.15 China China 1
      175.236.156.204 Korea, Republic of Korea, Republic of 1
      123.200.18.50 Bangladesh Bangladesh 1

      So it looks like IM360 blocked most after 1 attempt and I did some digging and Im pretty sure the US IPs are pingdom.com as Ive doing a bunch of site testing.

      All in all this looks pretty good then. What would be nice is a tab with list of domains and how often IPs were blocked for each domain with breakdown between firewall and greylist.

      It would help determine which websites may need special attention and help me measure overall security performance to some degree.

      Thanks for your help and insights.

      G

      Comment


      • #4
        46.229.173.66 --> semrush it is not malicious. In the future (near one) we will let you select which non-malicious sites can/cannot crawl your website. The rest have just a few hits, so maybe we did block them (once they started). We rotate IPs very fast - so quite often we would block them when they attack, but a day later it is no longer blocked. This is done to decrease false positives. And yes, we are working on the dashboard. We just trying to figure out how to make it so that answers more questions than it creates Yet, our #1 goal is to stop anything bad that comes to your site.

        Comment


        • #5
          Dashboard will be nice to have when it arrives. Thanks Igor.

          Comment

          Working...
          X