Plugin seems to severely overstate the number of login attempts

  • Resolved everdred

    (@everdred)


    9 years, 3 months ago

    As of late, I’ve noticed many WordPress login attempts in my daily logwatch emails that say that a particular IP/username combination was attempted exactly 200 times. At first I assumed one or more attackers must be running a script that makes exactly 200 attempts, but after a few weeks of this, I decided to dig into the logs myself to confirm it.

    I was surprised to find I can’t find comparable numbers of POSTs in my Apache log to support the figures I’m seeing written to my auth log.

      Example 1

    My logwatch email says:

    wordpress(my-domain.com): Authentication failure for news from 188.143.___.___: 200 Time(s)

    Log greps say:

    hostname:~# grep 188.143.___.___ /var/log/apache2/access.log | grep POST | wc -l
2
    hostname:~# grep 188.143.___.___ /var/log/auth.log | wc -l
200
      Example 2

    While 200 is a number I often find, it is not the only one. I decided to look into another abnormally high number.

    Logwatch email:

    wordpress(my-domain.com): Authentication failure for admin from 198.1.___.___: 599 Time(s)

    Actual logs:

    hostname:~# grep 198.1.___.___ /var/log/apache2/access.log | grep POST | wc -l
4
    hostname:~# grep 198.1.___.___ /var/log/auth.log | wc -l
599
      Example 3

    The abnormally high numbers are not always in the hundreds.

    Logwatch email:

    wordpress(my-domain.com): Authentication failure for admin from 115.144.___.___: 42 Time(s)

    Actual logs:

    hostname:~# grep 115.144.___.___ /var/log/apache2/access.log | grep POST | wc -l
3
    hostname:~# grep 115.144.___.__ /var/log/auth.log | wc -l
42

    (My Apache and auth logs rotate at the same time.)

    The first example I can find of this behavior was on October 12, and I’ve seen at least one example of it daily since then. The www.ads-software.com page says the plugin was last updated “4 weeks ago” so I figure this may be a bug introduced in the latest release.

    https://www.ads-software.com/plugins/wp-fail2ban/

Viewing 4 replies - 1 through 4 (of 4 total)

  • I have those high numbers too in my logwatch emails but I didn’t doubt them.
    Have you checked the number of entries inside auth log?
    Maybe its just logwatch miscalculating?

    Thread Starter everdred

    (@everdred)

    I appreciate the response. In my original post I demonstrated that the inflated number of entries in auth.log are identical to the numbers that logwatch claims.

    (It may be necessary to scroll the quoted snippets in the original post horizontally, in order to see the logwatch figures, which are a single long line.)

    oops, so sorry, I completely missed that, must be getting late. I only saw the comparison to the apache logs ??

    Plugin Author invisnet

    (@invisnet)

    I’m pretty sure this was caused by attacks on XML-RPC. WPf2b 3.0 has some new features that should help with this – let me know how you get on.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Plugin seems to severely overstate the number of login attempts’ is closed to new replies.