And I’m not kidding…. I did a clean OS and web server install last week for the new web site on WorkPapers.Pro (getting ready for an upcoming software update and September 1 press release), so about one week later, like a good admin, I thought it was time to sip some coffee and go through the authorization logs.
There was the usual Eastern European and former Soviet block IPs, so I blocked those, then there were a couple out of the US, so I blocked those IPs. You’d think that I would follow-up on the US IPs these days, but understanding that most people who are hacked don’t know that their machine is a launchpad in the first place, so let it go.

Then I get down to Aug. 31 and later and I block IPs that were rogue attempts through this morning from the following:
IP Address Host Name 202.117.3.30 3h30.xjtu.edu.cn
City Region/State Postal Code XIAN SHAANXI –
Country Name Country Code Time Zone CHINA CN +08:00
ISP Latitude Longitude XIAN JIAOTONG UNIVERSITY 34.26 108.936
Domain Name Net Speed IP Decimal XJTU.EDU.CN DSL 3396666142
I block the IP above, then start monitoring logins in real time and see this guy/gal is still at it. I block the IP above, then I get another set of attempts from the same subnet 202.117.4….. I block out the whole 202.117.3 subnet, then .4, then another set of attempts from .5!!! By this point…. I think, heck,’ my web application is not in the Chinese language. Why not block all of China?’ I fell way short of that drastic act, but noticed that after I blocked the whole 202.117 range, everything settled down.
On, on! Gonna go get a workout, then prepare for a WorkPapers.Pro update scheduled for tomorrow night. This one will include some more data export formats and (hopefully… still testing) a reporting module.

However, before doing anything, I am going to re-enable to login failure auto-lockout script again.