Blocking Login Attempts Using Wildcards

  • Hi guys,

    I’m getting a few attempts at ‘trying to login as admin’ on my website, which are all blocked – so no problem there.

    Only problem then, is every morning when I wake up, I need to clear around 20-30 notifications out of my inbox, saying that an admin login has been blocked.

    I noticed that the ‘banned users’ module has a ‘wildcard’ feature, where you can place an ip address in the form 185.86.*.* into the ‘ban hosts’ section – but on saving the settings and refreshing, the ip address changes to 185.86.0.0/16

    Is this a bug, or should I be entering the wildcard somewhere else?

    • This topic was modified 6 years, 8 months ago by steveraven.
Viewing 4 replies - 1 through 4 (of 4 total)

  • The text underneath the Ban Hosts field says:

    Wildcards are only for convenient entering of IP addresses, and will be automatically converted to their appropriate CIDR notation format on save.

    So 185.86.0.0/16 is the to CIDR notation converted format of 185.86.*.*

    To prevent the load of emails it’s probably better to enable the Security Digest setting in the Notification Center module.

    Thread Starter steveraven

    (@steveraven)

    Ok, I’ll enter the CIDR notification and see what that does.

    If it works, there really shouldn’t be a need to alter the Notification settings, as after one attempt to login as admin, there should be no further attempts – as 185.86.0.0/16 should block the lot if what you’re saying is right.

    CIDR notification = CIDR notation

    True but I was looking at the bigger picture.

    If attacks suddenly start coming in from a different range of ip’s you would again receive all those lockout emails and you would need to add a new ip range to the Ban Hosts blacklist. And this exercise may repeat endlessly …

    So that’s why I recommended to enable the Security Digest setting.
    (Which by the way seems to have a bug where 2 identical emails are send).

    But let’s take this a bit further …

    It would be even better if you determined how those brute force login attempts are being performed … From the login page or using xml-rpc etc
    And then use the right module/setting in the plugin to prevent that from happening.
    For example if these are failed login attempts from the login page enable the Hide Backend module. Good chance the login attempts as “admin” (basically any malicious login attempts) will stop hitting your site …

    If it’s an automated brute force attack using xml-rpc disable XML-RPC in the WordPress Tweaks module. However if your site needs XML-RPC this is probably not an option.

    So have a look at the Login Source field (click on View Details) of the Brute Force module entries in the plugin Logs page and find out how your site is being attacked.

    Also why is your site under (brute force) attack ? Apparently it is considered low hanging fruit on the internet …
    So what can you do to make your site less attractive to attackers (bots) …
    For instance if usernames can easily be harvested from your site, you are considered as an easy brute force target. So prevent user enumeration on your site … Good chance attackers will no longer be interested in attacking your site and they’ll move on to lower hanging fruit on the internet …

    Defending against attacks is great but preventing any attacks is even better ??

    Thread Starter steveraven

    (@steveraven)

    Yeah, it’s dodgy all around this one is.

    I always check an ip address to see where it was coming from, and usually it’s from the likes of the Ukraine – the 185.86.*.* address though is showing as NO ip address found.

    No new attacks since the CIDR addition, but one new attempt from 185.85.*.*

    What does the Security Digest setting do?

    I’ll also go through a few of those settings you mentioned.

    Thanks for the input!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Blocking Login Attempts Using Wildcards’ is closed to new replies.