How can I Temporarily Take My Site Offline?

Ceri Shaw
Ceri Shaw
@ceri-shaw
last year
84 posts
I feel the need to do this for a day or so to slow down the rate of malicious requests which has been more or less non stop over the last 48 hours. I have 2 other JR sites which I need to work on and I really cant afford to spend all day banning IP's. :(
updated by @ceri-shaw: 01/27/24 07:21:31PM
michael
@michael
last year
7,740 posts
Maintanence mode.

ACP -> MODULE -> CORE -> SYSTEM CORE -> GLOBAL CONFIG

Check the box next to "Maintanence Mode" and only admins will be able to login. Everyone else will see a message
Ceri Shaw
Ceri Shaw
@ceri-shaw
last year
84 posts
Great.....many thanks. I appear, however to be in the wrong account. Would it be possible to recover my other account details....the one associated with AmeriCymru? Cant find the login anywhere :(
michael
@michael
last year
7,740 posts
The mail account for that one is '-----------'. Is that enough info? If you use that email in the forgot password system the login will resend.

--edit--
info removed.
updated by @michael: 10/24/23 02:42:16PM
Ceri Shaw
Ceri Shaw
@ceri-shaw
last year
84 posts
Many thanks :)
brian
@brian
last year
10,148 posts
Ceri Shaw:
I feel the need to do this for a day or so to slow down the rate of malicious requests which has been more or less non stop over the last 48 hours. I have 2 other JR sites which I need to work on and I really cant afford to spend all day banning IP's. :(

How are you determining the requests are "malicious"? Are you seeing attempted admin log in messages in your activity log? Just wondering what flags them as malicious.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
Ceri
Ceri
@adolygwr
last year
370 posts
Will respond in detail tomorrow.


--
Ceri Shaw - AmeriCymru
Ceri
Ceri
@adolygwr
last year
370 posts
I have been administering AmeriCymru since 2006. It was formerly hosted on the Ning platform. Obviously over the last 17 years I have formed a pretty good idea of what constitutes 'normal' traffic on the site. Yes there are constant fluctuations but I can usually account for those....unusually popular articles, mailshots etc. The current traffic patterns bear no relation to the norm.

1. I frequently check 'suspicious' IP's on Abuse IPD. Recently I have been visited by many Tor nodes and a large number of other IP's that score 100% 'Confidence of Abuse' on that site. When I click one of these off another dirty IP frequently takes its place almost instantly.

2. Many of the IP's I see in the logfiles are spoofed. That is to say, they purport to be from the US, Australia or Canada and they turn out to be from Romania, Bulgaria, Singapore, Wuhan etc. This is not entirely new BUT the sheer volume of such visits IS.

3. For the last three days there have been constant image download requests , each from a different IP. These 'visitors' do not browse the site at all. They simply appear attempting to download an image ( different image, different IP every time ) and then they sit there without going anywhere else on the site. There have been hundreds if not thousands of these over the past few days.

4. Yesterday when I looked at the logfiles I saw 2 IP's requesting "..../banned/browse". This of course is an admin page which is only viewable by logged in admins . SO....they wouldn't have been able to view it BUT why did they request it?

I am happy to provide screenshots of all this 'activity' in my logfiles if necessary.


--
Ceri Shaw - AmeriCymru

updated by @adolygwr: 10/25/23 02:02:42PM
Ceri
Ceri
@adolygwr
last year
370 posts
I should add that I took the site down last night for about 6 hours to cool things down. The site is back up now and the attacks are continuing.


--
Ceri Shaw - AmeriCymru
brian
@brian
last year
10,148 posts
None of this is an attack. An attack would be sending 100+ requests per second to your site in an effort to bring it down. Also - don't rely on IP address location too much - it changes ALL THE TIME so a whois lookup on an IP may not reflect it's actual location. Based on your "users online" listing I saw I don't see anything out of the ordinary.

Based on my experience running the largest JR site that I am aware of you will see hundreds of bots from all over the world for hundreds of search engines and anything else that might need to "crawl" the web, hitting your site all the time. This is really normal - especially for an old domain.

Just my 2 cents but I think what you're seeing is very normal.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
brian
@brian
last year
10,148 posts
Also - note that you're still running on one of our old servers - we'd love to get you updated to newer, faster server so contact us at support if that sounds like a good idea :)


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
Ceri
Ceri
@adolygwr
last year
370 posts
Well....maybe so BUT this number of dodgy requests is new in my experience and I have been monitoring for a while. Many thanks for taking a look. :)


--
Ceri Shaw - AmeriCymru
Ceri
Ceri
@adolygwr
last year
370 posts
Yes sounds like a good idea. I have to rush out now but will contact support when I get back. Does this also mean I will be upgraded to PHP version 7.1.0 or newer! ? :)


--
Ceri Shaw - AmeriCymru
brian
@brian
last year
10,148 posts
Ceri:
Yes sounds like a good idea. I have to rush out now but will contact support when I get back. Does this also mean I will be upgraded to PHP version 7.1.0 or newer! ? :)

Yep - by default we go to 7.4 but can also switch to 8.2.


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net
Ceri
Ceri
@adolygwr
last year
370 posts
Great. I hereby request to be updated and upgraded :)


--
Ceri Shaw - AmeriCymru
brian
@brian
last year
10,148 posts
Ceri:
Great. I hereby request to be updated and upgraded :)

Make sure and contact us at support - looks like you are using 3rd party DNS for your domain so we'll need to coordinate your upgrade. The upgrade moves your sites to a new more powerful server, but that means the IP address does change so you'll need to be able to update DNS on your end to point to the new IP, so we'll want to coordinate that with you. So shoot off an email to support and we can get that started.

Thanks!


--
Brian Johnson
Founder and Lead Developer - Jamroom
https://www.jamroom.net

Tags