SMALL WARS COUNCIL
Go Back   Small Wars Council > The Small Wars Community of Interest > Small Wars Council / Journal

Small Wars Council / Journal Suggestions. Praise. New developments. Complaints. Praise. Tips & Tricks. More praise.

Closed Thread
 
Thread Tools Display Modes
Old 02-13-2015   #1
SWCAdmin
Groundskeeping Dept.
 
SWCAdmin's Avatar
 
Join Date: Sep 2005
Location: DC area pogue.
Posts: 1,840
Default Notice re Failed Login Attempts

Some Council members are contacting us because they received a notification from the board as follows....
Quote:
Subj: Failed Login Notification on Small Wars Council

Someone has tried to log into your account on Small Wars Council with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address:
We have looked into this issue and are continuing to try to get in front of it. It's a filthy e-world we live in.

Enough users were getting these nuisance notifications that I have made a global change. It used to be that an unregistered user could see most things but had to register to post. Now you need to be logged in to see anything. That should prevent bots from trolling for usernames. We'll see if this is a temporary or permanent change.

There is clearly some funny business going on with a fairly unsophisticated attack. Basically, a web crawler or human is knocking on the front door of your account to see if it is unlocked. We have not seen any evidence that anyone's account has been been breached. You are right to take notice and be a little concerned. However, these system-generated notifications are sort of a backwards reminder that security measures are in place and are working -- the door was locked.

If you have a strong password on your account, we believe you are secure. If you want to tighten that up a bit, you can change your password in the Edit Your Details section of the User Control Panel.

FYI, we already have commercial IP blacklist security implemented, but that is centered on new account registration and posting, i.e. once they open the door. We are adding the offending IP addresses to an additional manual blacklist as they are identified, to try to stop the board software from even serving the front door up to be knocked on. Unfortunately, there are lots of different IP addresses involved. It's what those internet pests do.

We continue to consult with better-at-this-than-me folks to review what has been going on and vet our security protocols. We're up to date on security patches, etc. Bottom line:



Last edited by SWCAdmin; 03-03-2015 at 02:03 PM. Reason: Updated for what we know now.
SWCAdmin is offline  
Old 02-18-2015   #2
SWCAdmin
Groundskeeping Dept.
 
SWCAdmin's Avatar
 
Join Date: Sep 2005
Location: DC area pogue.
Posts: 1,840
Default

We're continuing to get a trickle of these front door probes from various IP addresses. Our forum software is up to date with its security patches. We are manually blocking bot IP addresses as they present themselves, but that's a reactive measure. We already blacklist IPs, but the package for doing that is oriented to new account registrations, not existing account entries.

All the resources we've consulted suggest this is just something that happens in the e-world, and that as long as you have a decent password your account is fine there is no cause for concern. We're working with some technical folks to see how to be more proactive. We still have no indication that any account has been accessed. The alerts members are receiving are indications that the basic security measures are working.
SWCAdmin is offline  
Old 02-20-2015   #3
SWCAdmin
Groundskeeping Dept.
 
SWCAdmin's Avatar
 
Join Date: Sep 2005
Location: DC area pogue.
Posts: 1,840
Default

We have received about two dozen of these multiple failed login attempts over the last two weeks or so.

We have added all the offending IP addresses to our list of IPs that are banned from viewing the board at all. Almost all of them were unique and originating in various Asian countries. We have a much larger commercial blacklist of IPs, but that doesn't kick in until the login or registration attempt is successful at first.

We have consulted with several security folks who kicked our tires and confirmed that our appropriate controls are in place, up to date, and working. This is just something that happens in this pesky e-world.

Again, sorry for the nuisance to those who are being pinged. The advice in the first post here about having a good password and marching on continues to be the most sound and actionable intel we have found.
SWCAdmin is offline  
Old 03-03-2015   #4
SWCAdmin
Groundskeeping Dept.
 
SWCAdmin's Avatar
 
Join Date: Sep 2005
Location: DC area pogue.
Posts: 1,840
Default

I updated the first post with new info.
SWCAdmin is offline  
Old 07-05-2015   #5
Invictus_88
Registered User
 
Join Date: May 2010
Posts: 5
Default Technical Q

Has anyone else here recently had their account temporarily frozen by someone, not themselves, submitting incorrect password guesses?
Invictus_88 is offline  
Old 07-05-2015   #6
Invictus_88
Registered User
 
Join Date: May 2010
Posts: 5
Default

Quote:
Originally Posted by email to me
Dear Invictus_88,

Someone has tried to log into your account on Small Wars Council with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 91.213.8.235

All the best,
Small Wars Council
Quote:
Originally Posted by search on iplocation.net
91.213.8.235 :: Ukraine :: Luhans'ka Oblast :: Luhans'k
Which is interesting because Luhansk is one of the territories held by pro-Russian forces. Anyone else had this problem? If so, the site managers should probably flag it up.
Invictus_88 is offline  
Old 07-05-2015   #7
davidbfpo
Council Member
 
davidbfpo's Avatar
 
Join Date: Mar 2006
Location: UK
Posts: 10,493
Default SWC is aware

Invictus_88,

This issue was flagged up a few months ago and widely read. Please view this thread:http://council.smallwarsjournal.com/...ad.php?t=21736

I know via PM(s) that this problem continues, although minus knowledge of where the IP address is shown as located.
__________________
davidbfpo
davidbfpo is offline  
Old 07-14-2015   #8
Invictus_88
Registered User
 
Join Date: May 2010
Posts: 5
Default

I did have a quick look around but didn't find the thread you refer to and so I posted my own here. Thank you for linking me in though.

Interesting that they're from all over rather than just Luhansk.
Invictus_88 is offline  
Old 07-15-2015   #9
Tasmanian Devil
Registered User
 
Join Date: Nov 2010
Location: Sydney, NSW, Australia
Posts: 1
Default Alleged false log in attempts

On 11 July 2015 I too received the following message purporting to be from the Small Wars Council:

Dear Tasmanian Devil,

Someone has tried to log into your account on Small Wars Council with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 178.175.131.194

All the best,
Small Wars Council

A check with iplocation.net idicates the ip address given is allegedly Trabia-network Data Center, Chisnau, Moldova Republic.

Regards.

Tasmanian Devil.
Tasmanian Devil is offline  
Old 07-17-2015   #10
stang
Registered User
 
Join Date: Sep 2010
Posts: 1
Default

Quote:
Originally Posted by Invictus_88 View Post
I did have a quick look around but didn't find the thread you refer to and so I posted my own here. Thank you for linking me in though.

Interesting that they're from all over rather than just Luhansk.
I received a notice as well, and my IP (94.23.6.131) was located to OVH in France, which is a popular hosting company to use for nefarious actions. They do very little to verify identity.

Also, they're from all over because that's how a distributed cyber attack works.
stang is offline  
Old 07-25-2015   #11
davidbfpo
Council Member
 
davidbfpo's Avatar
 
Join Date: Mar 2006
Location: UK
Posts: 10,493
Default

Another member reports activity with an IP address that is ostensibly in Sweden, but has several anti-spam website alerts: 178.16.208.56
__________________
davidbfpo
davidbfpo is offline  
Old 07-26-2015   #12
davidbfpo
Council Member
 
davidbfpo's Avatar
 
Join Date: Mar 2006
Location: UK
Posts: 10,493
Default Wider context?

For those interested in the possible conext for such attempts please view the main Ukraine military thread, where Outlaw 09 has posted three posts on the issues:http://council.smallwarsjournal.com/...=22315&page=54

I have accordingly deleted the three posts here.
__________________
davidbfpo
davidbfpo is offline  
Closed Thread

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Contractors Doing Combat Service Support is a Bad, Bad Idea SWJED PMCs and Entrepreneurs 104 07-26-2010 09:19 PM


All times are GMT. The time now is 11:16 PM.


Powered by vBulletin® Version 3.8.8. ©2000 - 2017, Jelsoft Enterprises Ltd.
Registered Users are solely responsible for their messages.
Operated by, and site design 2005-2009, Small Wars Foundation