Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
QUESTION 502 nginx error - bruteforce attack
on two of my shared servers - which I have "Get Simple" web sites have experienced 502 nginx error. These have nornmally been rectified within 15 minutes and 'normal service is resumed'.

I have had this email back from the server engineers of the hosting company. (sorry for the length of the reply!)

"The 502 error you have experienced is caused by an overload of the webserver, caused by a number of malicious sources performing bruteforce attacks on Wordpress admin sites hosted on the server. The end result of this is that the webserver is flooded with requests which results in the entire site failing to display.

In order to prevent this we have had to limit the number of concurrent access attempts to the login pages of these sites. This ensures that the websites themselves stay up but does have the impact that genuine login attempts will intermittently fail. I can appreciate this is an awful situation but we had to take a "lesser of two evils" approach to this problem.

We are currently exploring a number of options which we feel will offer a long term solution to this issue, I am reluctant to use the term "permanent" as there is always a chance that the hackers will attempt to bypass any solution put in place. Unfortunately none of the solutions are easy or quick to implement and most will have a requirement for the users to do something also.

I can fully appreciate your frustration and am aware that my explanation will not alleviate the problem you are having, but I would like to assure you that we are exploring every option available to attempt to mitigate this problem as much as possible.

In the meantime, the site is currently displaying correctly, and we are continuing to monitor the server for further issues."

My Question is:

There are some similarities to Wordpress in the operation of 'Getsimple'. Are there the same volatilities to this sort of hacking activity in 'Getsimple'? Or it just a case that being on shared servers there are increased risk to attack because probably there a loads of 'Wordpress' attacks and I have effectively suffered from 'friendly fire' here.


Yes shared hosts common issue.
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
(2014-04-07, 08:37:40)shawn_a Wrote: Yes shared hosts common issue.

Part of the solution is limiting the number of concurrent connections to a nginx zone:

so if your provider is implementing that solution you will have to tell him that you admin directory is /admin/
I also highly recommend the kt lock plugin and changing your admin directory and using a custom salt
NEW: SA Admin Toolbar Plugin | View All My Plugins
- Shawn A aka Tablatronix
Yes, changing admin directory is a must.
Hackers usually use some kind of robots to find targets, and those robots use default directories from different projects.
On my server I log those attempts, few recent logs:

those are targeted at fckeditor, but I often get wordpress paths and joomla is very popular (administrator/index.php is from joomla afaik). As soon as GetSimple will become popular enough I bet they will scan for it also.

Maybe it would be a good idea to randomize admin directory during install?

Users browsing this thread: 1 Guest(s)