My diary earlier this week led to some good discussion in the comments and on twitter. I want to, first off, apologize for not responding as much or as quickly as I would have liked, I’ve actually been ill most of this week since posting the previous diary (and signing up for this slot as handler on duty). Having said that, the discussion got me thinking about fail2ban (and denyhosts) and how I’ve used them over the years, which brings me to a number of points I’d like to make and some further discussion I hope we can have. As rightly pointed out, I am sure that the brute forcing I am seeing is not from any scanning but because I setup an IPv6 address in DNS for my wordpress site and the preference for IPv6 over IPv4 if both DNS returns both… In fact, the attempts to login as ‘jim’ show that they have at least scraped some content off the site so they thought they could guess at a valid username (in fact, ‘jim’ is not a valid username on the site, but that is their problem, not mine).
Article Link: https://isc.sans.edu/diary/rss/23253