30 Aug Who is hacking my website?
Few business owners understand that ALL websites are constantly under attack. It doesn’t matter how big or small the website is. The content and mission of the site are also irrelevant. Hackers just want to get inside for a variety of reasons including injecting malware into the site, downloading personal information, or monitoring activity. The actual hacking is nearly always automated and this is why no domain is immune. However, there are ways to see who the hackers are (or least where they are from).
The single best way to both block and capture offending IP addresses is by implementing Fail2ban. This is server-side software that specifically blocks and logs offending IP addresses. This software should be installed on EVERY Linux server. There are also similar products available for Windows servers. The Fail2ban tool can be configured to ban IP addresses based on the type of activity such as too many requests in a specific period of time or too many failed login attempts. It is easy to configure and maintain, but does require a server administrator to whitelist specific IP addresses (especially when using content management systems).
Understanding Fail2ban Logs
Once Fail2ban has been implemented, a periodic download of the list of banned IP addresses can be very enlightening. You can use any of the dozens of free online IP Lookup tools to learn the country, state, city, network, and often times the organization that owns the IP address. Poke around a bit and find one you like. If you have a big list and just want to see the country, region, and city, you can use a free bulk IP Lookup Locator (such as www.ipligence.com).
Have You Been Hacked?
Once you review the data from the logs and see how extensive this is, you will certainly be concerned. The volume of data does NOT indicate whether or not you have been hacked. The real problem is that you may have been hacked and the hacker has not taken any action yet. There could even be malicious code injections that have not been activated. The hacker may be waiting for the most profitable opportunity to activate the code.
The only way to check for code injections is to compare the site to an offsite copy on a non-public (secured) IP address. Small business owners typically cannot afford this and need to rely on their system administrator to look for files that have been added to altered based on the date. Fortunately, even if your site has been hacked, a good system administrator/developer can locate the offending code and remove it in most cases.
User Profile Hacking
A more difficult problem is determining if specific user profiles have been compromised. A common hack is to locate a user profile and change the email address associated with that profile. Then the hacker simply uses the password reset function to gain access to the content management system. The real user will not notice this until the next time they attempt to sign in and by then it may be too late. Depending upon the type of CMS and the privileges provided to the user, the hacker can do a lot of damage. There are also other ways for hackers to get user credentials.
The best way to mitigate this risk is to keep a log of user logins and the IP address that was used to login. Someone needs to monitor that log and watch for IP addresses from unexpected locations. Fail2ban may capture some of this activity because a CMS typically makes a lot of requests from the server in a short period of time. There are other ways to protect user credentials:
- Force the use of complex passwords
- Force the user to change their password periodically
- Disable all user profiles that are no longer needed
- Only provide users with the specific privileges they need
- Limit all logins to the CMS to a specific set of whitelisted IP addresses
To summarize, it is critical to understand the extent of attempted hacking and to have the ability to block offending IP addresses. This is not available on most budget hosts. That may not stop you from being hacked, but it will certainly reduce the risk. Further risk reduction is possible if you limit and monitor access to the content management system (CMS).