Block enumerate users

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author invisnet

    (@invisnet)

    Thanks for that – I’ve added something similar to 2.1.0, released last night.

    Thread Starter geeklol

    (@geeklol)

    Hi Invisnet,
    I’ll try it right now! Thank you.

    Laurent.

    Thread Starter geeklol

    (@geeklol)

    Hi again,
    May I suggest an small improvement ?

    I think it would be better to have the two fail2ban filters separated because it is preferable to treat separetely “the user enumeration” and “the login attempt”:
    You can leave for example three attempt for login while you absolutely MUST block at the first attempt the user enumeration…

    Thank you.

    Laurent.

    I actually have three different filters
    1. for attempts on admin / administrator
    2. the other for general logins
    3. one for enumeration

    Fairly simple top create and just change the regex’s

    By the way thanks for incorporating, well actually improving, my stop enumeration code.

    Alan – aka llocally – aka roibot (must get round to combining my ids)

    Thread Starter geeklol

    (@geeklol)

    Hi,
    @llocally: the solution is effectively to get more than one filter

    @invisnet
    Your filter for user enumeration doesn’t work, nothing is logged in /var/log/auth.log.
    Did you try it before you update ?

    Regards.

    @geeklol

    1. yes, I can’t think of anyway of having different sensitivities in the same filter, so a filter per ‘sensitivity’ would be required.

    2. I just fully tested this on my server and it works fine.

    First, have you turned on enumeration with
    define(‘WP_FAIL2BAN_BLOCK_USER_ENUMERATION’,true);
    ?

    Second have you looked in the your syslog (e.g. /var/log/syslog or /var/log/messages) rather than your auth log.

    hope that points you in the right direction

    Thread Starter geeklol

    (@geeklol)

    Hi llocally,
    It’s a mystery …

    Detections attempts to enumerate users does not work on all my WordPress (all Ver 3.6).
    The llocally filter and the invisnet filter not react the same way …
    I need to do more testing before drawing conclusions.

    Anyway, thank you very much to both of you for the job!

    Congratulations gentlemen!

    Thread Starter geeklol

    (@geeklol)

    Hi,
    I like to understand.

    1) For the two filters (stop user enumeration and wp-fail2ban) you must enable “permalinks”.
    2) If stop-user-enumeration AND wp-fail2ban are both activated, stop-user-enumeration takes over (it is the first to intercept attempts).

    I will opt for one plugin: wp-fail2ban, but I’ll split the filter into two (maybe three later):
    1) Connection attempts:

    failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$

    2) Enumeration attempts:

    failregex = ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$

    So I installed one plugin, BUT I treat differently the simple connection attempts and enumeration attempts (which for me are much more aggressive).

    It must be remembered, fail2ban is not there to protect you, but simply to avoid a flood of logs. REAL protection lies in the complexity of passwords …

    Laurent.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Block enumerate users’ is closed to new replies.