[Marina James]

Hi

Does anyone know how to trace the source of a brute force attack by someone using proxy servers?

Thanks

Marina

http://www.adultforums247.com/forums...s/banghead.gif

[Tigger]

Hi Marina ...........welcome

I've not used this but had it stored in my favorites - have you tied Fail2ban ?

[Marina James]

Thanks for the suggestion

However that software seems to block IPs after a number of failed login attempts. But it can only work if someone keeps using the same IP address, which doesn't happen if they are using proxies

I did find this website http://www.iovation.com/real-ip/

But I think that one is probably aimed at people selling stuff who want to know that the person buying it is using a real IP?

Whereas what I'm looking for is a method of tracking down a real IP which is hidden behind proxie IPs from someone using these for a brute force attack to try and access a membersite

I've got a list of the false proxie IP addresses they are using, but don't know how to track them down from these

[Tigger]

yeah I can see that now - sorry I can't help maybe some of the other members can point you in the right direction

You could also try the guys at webmasterworld.com/ its a massive forum and hopefully someone there can help

[Marina James]

Thanks Tigger I'll check out the website you suggest

I also did some further research which just got me into geek-speak land

'People that are serious about anonymity generally use things like onion routing through a bundled browser within a vm with a spoofed user agent. It takes very little to set up and, if done properly, it's nearly impossible to unmask'

My view is that it might be difficult for Joe Average to track them down, but if they were using the above method to attack some government institution then they'd get tracked down with amazing ease.

[housekeeper]

Your best option is Strong Box

[Worzel]

Is the objective to actually track the pest down or just keep them out of your site? If the former, then it's going to be tricky unless you get lucky. Obviously, I have no idea what issues you're facing, but if you could persuade your visitor to actually download to their pc an html file containing tracking code from, say, Statcounter, and then open the file they downloaded in a browser, you will probably have their details in your Statcounter logs. The trick will be to get them to do that!

If you just want to keep them out, and you have a list of the proxies they're using, you could start by banning those IP in your .htaccess file. It's only a partial fix, of course, and it will probably lead to an arms race where they're finding new proxies faster than you can ban them, but it might buy you some time to think of something better. Depending on what your visitor is doing, persistent unwelcome visitors can be a serious problem to any site, and they're very difficult to stop.

[LatinLuvin]

Sorry but athats not something the average Joe Blow has the knowledge or ability to do. The government has the resources to get warrants and foreign government co-operation to physically go after the people running the proxy servers. Then they go in the servers to trace back where the originating IP came from.

If you wanted to do this on your own you would have to hack in the servers yourself, something which is illegal, and trace back who originated the request from the server. Keep doing that until you find the original source of the request. Sometimes these guys go through multiple proxies to hide their identities.

[Worzel]

Quote:

Originally Posted by LatinLuvin

If you wanted to do this on your own you would have to hack in the servers yourself, something which is illegal, and trace back who originated the request from the server. Keep doing that until you find the original source of the request. Sometimes these guys go through multiple proxies to hide their identities.

That's always assuming the proxies aren't run by the government anyway! Paranoid? Meeee?

But of course you're right - tracking the person down is going to be very difficult from that end, unless they get careless. And even if the IP address could be obtained by fair means or foul, it doesn't necessarily help unless their ISP is willing to identify them, or, again, unless they get careless.

[Mr. Lovepants]

Quote:

Originally Posted by housekeeper

Your best option is Strong Box

Agreed. I don't think it will trace the IPs of people who are hiding behind proxies but it will certainly stop them getting in.

[Marina James]

Thanks to the various people suggesting software to block access, I have got that already.

It was mostly that I didn't see why people should be permitted to attempt to steal while hiding their identity?

Its a bit like someone attempting to break into your house while in disguise.

Yes its great to have locks, but if you had that guy hanging around in your backyard whenever he chooses, wearing whatever version of a halloween mask he's chosen for his current attempt, you might want to see if you could remove it and find out who he is?

But it seems that the problem lies with those running proxie servers, and until they clean up their act, not much can be done

So it looks like thread closed

Thanks again everyone

Marina

[housekeeper]

Bottom line for me is that they don't get in, I had an attack this week

"username----last status-----login attempts----IP ranges-----Countries----ISPs
-------------------(emptyUrP)--------445----------------133-------------- 0--------------1
user-------------(attempts)----------66------------------64---------------26-----------44
1 user (attempts) 66 login attempts from 64 IP ranges in 26 countries on 44 ISPs"

That is just a snippet from over 11,000 attempts, not one of them got in. You look at countries where you actually get sales and protect yourself from the regions where the criminals are.

[Marina James]

But if they're using false proxies how do you know which country to block?

The most attacks are actually coming from the US, but since the US is a large market I wouldn't want to block access by people from that country, just because of one hacker (who might not be based there anyway?)

[housekeeper]

Quote:

Originally Posted by Marina James

But if they're using false proxies how do you know which country to block?

Ask yourself this, how many legitimate sign ups do you get from Russia? How many of your customers are from China? Malaysia? Certain Countries just don't pay for porn and are generally filled with criminals when it comes to on line commerce.