Dictionary Attack: How to Block an Entire Country

Here's a tip for all website administrators, but you know it already. Please don't think I am high-hatting you, but always remember to check your Apache logs on a regular basis. It is easy to become complacent and neglect this important activity, but if you do you may miss something important - i.e. a systematic attack on your site.

I was casually browsing through my awstats output for one of my sites the other day when I saw something that didn't look correct. The list of pages visited was showing that my site's most popular page was /forum/ucp.php. Now ucp.php is the User Administration Panel login form for the open source bulletin board phpBB3. Uh-oh - someone was repeatedly trying to log into my forum, presumably to post spam. Then I scanned the country list and was shocked to discover that hits from China were practically off the scale. So, circumstantial evidence suggested that the attack may be coming from China.

Further evidence was needed, but out of the box phpBB3 doesn't log failed login attempts so I couldn't be sure exactly what was going on. A quick Google search and I located a phpBB3 mod, rather unsurprisingly called Log Failed Login Attempts In User Log. The author suggests a 5 minute installation. In fact it took me double that, but cut me some slack - it's 18 months since I've applied a phpBB3 mod and I was rusty!

After the mod was installed I left things for 24 hours and checked out the phpBB3 User Log. Sure enough, it was littered with failed log in attempts, and the source was obviously a script which executed every few seconds with a random login name such as steve57857, aixiu8888, fisa697 and Errieharleyminsdavic. Wow! That really is brute force! The good news is the mod also logs the IP address. IP addresses can be looked up from many places, but I use DNSstuff. My suspicions were realised - all the IP addresses originated from China.

But here's the strange thing - whilst all the IP addresses were emanating from China, they were not from the same ISP, and the IP addresses were repeating themselves in the log extremely infrequently. I'm not too sure what that means - perhaps the hacker has access to the top-level China domain.

So, now the evidence had been gathered, it was time to take preventative action. China is not important to my domains so I had no qualms in looking for a solution that would block every allocated Chinese IP address, in fact the way the attack was structured it looked like that would be the best solution anyway.

It is possible to obtain a complete list of Chinese domains from IP Deny. This site can give you a list in Classless Inter-Domain Routing (CIDR) format which looks like:
58.14.0.0/15
58.16.0.0/16
58.17.0.0/17
58.17.128.0/17
58.18.0.0/16
Thankfully Apache can understand this CIDR notation. So somehow I needed to get the entire set of Chinese IP addresses into my .htaccess file. The correct syntax being:

Order Allow,Deny
deny from 58.14.0.0/15
deny from 58.16.0.0/16
deny from 58.17.0.0/17
deny from 58.17.128.0/17
deny from 58.18.0.0/16
.
.
.
Allow from All

You will therefore need to find a decent text editor that can prepend the text deny from at the beginning of each line. I used the Linux command line instead, being an old-school administrator. So I saved the list to /tmp/ips and did:

cat /tmp/ips | awk '{print "deny from "$0}' > /tmp/ipsout

and then copied ipsout into my .htaccess file.

To ensure this works, your Apache httpd.conf must have AllowOverride All directive in the <Directory> section.

No Apache restart is required. China has now been erased. But remember that domain allocations do change so you should periodically refresh the IP list.