Just a heads up for all of you running sites, We just got a wave of hacking attempts on our site, from Denmark and Germany. There were around 100 IP addresses cached and logged by our watchdog. But I know a few other sites have had issues in the past right about the same time we get hit. So I thought I would let you all know it is happening to us again.

Well looks like they left me alone this time at the least. No fun new mainpage for either of the Wikis... Thanks for the headsup though.

- Obe

After further investigation into the logs it looks like they were trying to hack into the downloads section on the site. Kinda funny when you stop to think about the fact that not only do we not have any downloads on the site yet, but the entire system is actually commented out on the core because we are not sure yet that there will ever be any downloads on the site.

Maybe they wanted to put something on there...? ;) instead of taking...

I doubt it. That would have been VERY easy to do.

I dunno if it'd help you, but there's a program I'm running on my server that monitors the logs. If it finds a number of repeated failed attempts (it checks for specific key phrases/words) that match break in attempts, it puts that IP Address in hosts.deny for a while (I think mines set to 10 minutes). Since most of the attacks against my box seems to come from bots, this seems to stop them (IE, no more reaction from the box, it drops the attempt and moves on).

The programs called OSSEC HIDS. It can be a bit complex, but I used some guides at Ubuntu to make it a lil easier.

Oh we are using watchdog. It has a predefined set of rules that it watches for. When it finds a violation it blacklists the IP and sends an email. If it gets more than 10 violations in a 10 minute period of time, it sends an alarm to the company, and they call you (provided you are current on your bill). No matter what it keeps a full log of IP address, and resolutions.