Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By flybob1 on
I've been working with Drupal for almost 2 years now.
For some time now I have been noticing a never-ending series of attempts to log in to my site with kinda-random account names. The IP seems to be randomized so I assume its a bot or multiple copies of a bot, but the attempts are relentless, like Chinese water torture; I'd say 1 attempt averaging every 60 minutes 24/7/365 for dang near a year now. The names tend to repeat so it is apparently working from a list of some sort. A bell curve: some names repeat a lot, some seem unique. (side question - does Drupal keep failed login names in a table?)
It kind of reminds me of M*A*S*H where the NoKos had a guy ("5 O'Clock Charlie"?) who flew over every day in a little open plane and dropped a small bomb by hand trying to hit the ammo dump (and missed). Not much of a threat; the medics would set up chairs and score his attempts.
I have a >12-char minimum for passwords so even if they guess an account name they probably wont be able to guess the PW but what is odd is the algorithm they seem to have for generating these BS user names in the first place. They typically start with what might be a valid human name but then pad it with numerals until its 19-21 characters long. For example "petersmythejones35127" or "lindafaustusrolly9".
Presumably they are then entering passwords too, maybe from a "100 most used lame passwords" list of some sort.
I know there used to be a weakness in Drupal login where the passwords weren't hashed if the account name wasn't valid which allowed detection of valid usernames if you used a silly-long password guess (like a million characters long) because you could time the response and that would tell you the account was invalid if your rejection was quick.
So my question(s):
-is there a Drupal login vulnerability with long account names? I don't see these attempts with my other site which is basic Apache/html/css/js technology.
-Is this a known attack vector? Just for Drupal or for any site?
-Why would they keep trying semi-random account names with such a low probability of existing?
-And why REPEAT accounts once they failed, is it multiple bots in which case the user names are probably a fixed list? Does anyone have the list? Would I be more secure by creating matching accounts and blocking them?
-And why only 1ce an hour? Why not 50/second?
-Is everyone else getting these? Any recommendations to make sure they keep failing (assuming they are failing)?
Thanks for your time.
Comments
Why the usernames? They're
Why the usernames? They're probably getting the account names from another site that has been successfully hacked; they then try that same username / password combination on other Drupal sites to see if the individual had accounts on other sites.
Why 1/hour, not 50/second? - they're checking against lots of sites, and they'll go undetected better on each if they don't hammer a site then move on.
What can you do? Check the user-agent strings. There's often some way to block them (if they've made a mistake when they programmed the bot that means you can tell them apart from real traffic). If you're not getting any resource-limit problems, you can afford to block them in your own .htaccess file, although mod_security is a better layer to intercept if you know how to set up a custom rule.
As a rule of thumb, I'd advise anyone to have a good standard mod_security ruleset in front of their site, as that does weed out a surprising proportion of attempted abuse.
This signature is currently blank
It kind of reminds me of M*A
Thanks for the laugh. :-)
To add something useful. Maybe this module here might help if you're concerned. It allows you to change the url path of the login page to something else, which probably already filters out 99% of the automated attacks.
I like cookies!
Try Antibot
https://www.drupal.org/project/antibot
Had huge bot attack on user forms. This killed it.