Instantly Lockout Invalid Usernames not preventing multiple attempts

  • Resolved enigmaticfox

    (@enigmaticfox)


    8 years, 7 months ago

    Greetings!

    We’ve been progressively hardening our WordPress installation with your plugin over the past few weeks, and overall it’s been working great. However, there is one thing that we noticed recently when looking at our logs.

    We have the “Instantly Lockout Invalid Usernames” option checked, but our logs are showing multiple attempts on the same invalid usernames (usually 10 attempts at a time, only seconds apart). So there seems to be some loophole that they’re still getting through.

    We noticed that these attempts are all targeting the /wp-login.php file. Is it possible that the plugin is not counting logins from this vector?

    Happy to help you troubleshoot, though not comfortable giving our site information in a public forum given how much unwelcome hacker attention our site has been attracting recently. Let me know if I can send you any information via email, or sanitized/redacted information here. Thanks!

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, do you also have the Rename Login Page feature enabled under Brute Force tab?

    Under Firewall tab do you have the following enabled
    Enable Pingback Protection:?

    Thread Starter enigmaticfox

    (@enigmaticfox)

    Hey there!

    Rename Login Page: No
    Enable Pingback Protection : Yes (enabled yesterday, since we were also getting a lot of repeat attacks via the xmlrpc.php file)

    Haven’t seen any instances in the logs since yesterday, so maybe enabling the pingback protection yesterday helped? I’ll keep an eye on it over the next few days to see if I can spot anything.

    Thanks!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    You are most welcome.

    You might also like to consider the Rename Login Page feature to create extra security especially if you don’t have members signing up via WordPress.

    Thread Starter enigmaticfox

    (@enigmaticfox)

    Hey there!

    Spotted another flurry of attempts in the logs overnight, all from the same IP address, all failed logins with different invalid usernames via the wp-login.php file.

    Interestingly, if I go to the Locked IP Addresses list, that IP address range is in the list! The timestamp on the lockout corresponds with about the fourth attempt in the log list. But 9 more attempts got through after that timestamp.

    Also interestingly, the plugin did not email me an alert about this particular IP address being locked out. It did email me about the other two currently locked out, and I’m not seeing any other attempts by those IP addresses. Not sure if this is related, but figured it would be an extra data point.

    I’d be willing to consider the renaming solution, but I figured that it might be better to troubleshoot why this is happening first. If I can help you close a loophole, everyone benefits. ??

    Let me know if there’s any other information I can provide — thanks!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, can you check the log files in the plugin? What is the IP address that is trying to get in? How have you added the IP range for that IP address in Blacklist Manager?

    Thread Starter enigmaticfox

    (@enigmaticfox)

    Hey there!

    Actually, if I go to Dashboard -> AIOWPS Logs and select the log files there in the dropdown, I get the “Log file is empty!” error. I’ve been tracking activity on the site via another plugin currently. Not sure if there’s something we can do to enable the logs (we’re on Rackspace Cloud Sites hosting, if that helps)?

    The IP address that was trying yesterday to get in (it changes every few days, as I think it’s directed via bots) was 195.154.237.108. Unlike most of the other bots we’ve seen thus far, it wasn’t just blindly hammering at the “admin” username with multiple passwords (although that was its first attempted username) — it was trying out multiple invalid usernames that relate to our domain name (luckily, our admin username is not easily guessed).

    Here’s two of the 10 entries from that particular set of attempts yesterday, with some information redacted (“oururl” substituted for our actual domain name):

    France attempted a failed login using an invalid username “wwwoururlcom”. https://oururl.com/wp-login.php
    5/5/2016 4:44:25 AM (5 hours 32 mins ago) IP: 195.154.237.108 Hostname: 195-154-237-108.rev.poneytelecom.eu
    Browser: IE version 9.0 running on Win7
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

    France attempted a failed login using an invalid username “[email protected]”. https://oururl.com/wp-login.php
    5/5/2016 4:44:24 AM (5 hours 32 mins ago) IP: 195.154.237.108 Hostname: 195-154-237-108.rev.poneytelecom.eu
    Browser: IE version 9.0 running on Win7
    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

    The AIOWPS Dashboard display of temporarily locked out IPs at the time read:

    195.154.237.* 0 Admin login_fail 2016-05-05 03:44:15 2016-05-06 03:44:15

    I have not been using the Blacklist Manager on this yet because it’s the “Instantly Lockout Invalid Usernames” functionality that seems to be not actually locking them out (again, trying to help troubleshoot the problem — I could easily lock them out using the Blacklist Manager but that might confuse the issue). I have the instant invalid username lockout set to lock out for a full 24 hours.

    I could take this to email for troubleshooting if you’d prefer, just let me know. Thanks!

    Plugin Contributor mbrsolution

    (@mbrsolution)

    What happens if you increase the lock out period to a higher number? I still think you should consider the Rename Login Page feature to create extra security. This will definitely stop this issue you are experiencing.

    Regards

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Instantly Lockout Invalid Usernames not preventing multiple attempts’ is closed to new replies.