PDA

View Full Version : Notice re Failed Login Attempts



SWCAdmin
02-13-2015, 01:08 PM
Some Council members are contacting us because they received a notification from the board as follows....

Subj: Failed Login Notification on Small Wars Council

Someone has tried to log into your account on Small Wars Council with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: We have looked into this issue and are continuing to try to get in front of it. It's a filthy e-world we live in.

Enough users were getting these nuisance notifications that I have made a global change. It used to be that an unregistered user could see most things but had to register to post. Now you need to be logged in to see anything. That should prevent bots from trolling for usernames. We'll see if this is a temporary or permanent change.

There is clearly some funny business going on with a fairly unsophisticated attack. Basically, a web crawler or human is knocking on the front door of your account to see if it is unlocked. We have not seen any evidence that anyone's account has been been breached. You are right to take notice and be a little concerned. However, these system-generated notifications are sort of a backwards reminder that security measures are in place and are working -- the door was locked.

If you have a strong password on your account, we believe you are secure. If you want to tighten that up a bit, you can change your password in the Edit Your Details (http://council.smallwarsjournal.com/profile.php?do=editprofile) section of the User Control Panel (http://council.smallwarsjournal.com/usercp.php).

FYI, we already have commercial IP blacklist security implemented, but that is centered on new account registration and posting, i.e. once they open the door. We are adding the offending IP addresses to an additional manual blacklist as they are identified, to try to stop the board software from even serving the front door up to be knocked on. Unfortunately, there are lots of different IP addresses involved. It's what those internet pests do.

We continue to consult with better-at-this-than-me folks to review what has been going on and vet our security protocols. We're up to date on security patches, etc. Bottom line:


http://smallwarsjournal.com/sites/default/files/Keep-calm-and-carry-on-scan.jpg

SWCAdmin
02-18-2015, 05:11 PM
We're continuing to get a trickle of these front door probes from various IP addresses. Our forum software is up to date with its security patches. We are manually blocking bot IP addresses as they present themselves, but that's a reactive measure. We already blacklist IPs, but the package for doing that is oriented to new account registrations, not existing account entries.

All the resources we've consulted suggest this is just something that happens in the e-world, and that as long as you have a decent password your account is fine there is no cause for concern. We're working with some technical folks to see how to be more proactive. We still have no indication that any account has been accessed. The alerts members are receiving are indications that the basic security measures are working.

SWCAdmin
02-20-2015, 03:39 PM
We have received about two dozen of these multiple failed login attempts over the last two weeks or so.

We have added all the offending IP addresses to our list of IPs that are banned from viewing the board at all. Almost all of them were unique and originating in various Asian countries. We have a much larger commercial blacklist of IPs, but that doesn't kick in until the login or registration attempt is successful at first.

We have consulted with several security folks who kicked our tires and confirmed that our appropriate controls are in place, up to date, and working. This is just something that happens in this pesky e-world.

Again, sorry for the nuisance to those who are being pinged. The advice in the first post here about having a good password and marching on continues to be the most sound and actionable intel we have found.

SWCAdmin
03-03-2015, 02:03 PM
I updated the first post with new info.

Invictus_88
07-05-2015, 12:13 PM
Has anyone else here recently had their account temporarily frozen by someone, not themselves, submitting incorrect password guesses?

Invictus_88
07-05-2015, 12:21 PM
Dear Invictus_88,

Someone has tried to log into your account on Small Wars Council with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 91.213.8.235

All the best,
Small Wars Council


91.213.8.235 :: Ukraine :: Luhans'ka Oblast :: Luhans'k

Which is interesting because Luhansk is one of the territories held by pro-Russian forces. Anyone else had this problem? If so, the site managers should probably flag it up.

davidbfpo
07-05-2015, 06:16 PM
Invictus_88,

This issue was flagged up a few months ago and widely read. Please view this thread:http://council.smallwarsjournal.com/showthread.php?t=21736

I know via PM(s) that this problem continues, although minus knowledge of where the IP address is shown as located.

Invictus_88
07-14-2015, 02:28 PM
I did have a quick look around but didn't find the thread you refer to and so I posted my own here. Thank you for linking me in though.

Interesting that they're from all over rather than just Luhansk.

Tasmanian Devil
07-15-2015, 06:40 AM
On 11 July 2015 I too received the following message purporting to be from the Small Wars Council:

Dear Tasmanian Devil,

Someone has tried to log into your account on Small Wars Council with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 178.175.131.194

All the best,
Small Wars Council

A check with iplocation.net idicates the ip address given is allegedly Trabia-network Data Center, Chisnau, Moldova Republic.

Regards.

Tasmanian Devil.

stang
07-17-2015, 04:45 PM
I did have a quick look around but didn't find the thread you refer to and so I posted my own here. Thank you for linking me in though.

Interesting that they're from all over rather than just Luhansk.

I received a notice as well, and my IP (94.23.6.131) was located to OVH in France, which is a popular hosting company to use for nefarious actions. They do very little to verify identity.

Also, they're from all over because that's how a distributed cyber attack works.

davidbfpo
07-25-2015, 04:05 PM
Another member reports activity with an IP address that is ostensibly in Sweden, but has several anti-spam website alerts: 178.16.208.56

davidbfpo
07-26-2015, 05:35 PM
For those interested in the possible conext for such attempts please view the main Ukraine military thread, where Outlaw 09 has posted three posts on the issues:http://council.smallwarsjournal.com/showthread.php?t=22315&page=54

I have accordingly deleted the three posts here.