Why isn't jetpack blocking thousands of login attempts?

  • Resolved manuel38

    (@manuel38)


    8 years, 11 months ago

    Seeing lines like these in my access logs, over and over and over and over is clearly a brute force login attempt isn’t it? Why would enabling “protect” not stop this?

    www.site.com:80 103.27.239.197 - - [03/Dec/2015:14:39:58 +0400] "GET /wp/wp-login.php HTTP/1.1" 404 42730 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15"

    www.site.com:80 103.27.239.197 - - [03/Dec/2015:14:39:51 +0400] "POST //wp-login.php HTTP/1.1" 200 4323 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15"

    This continued at a rate of upwards of 5-6 POST requests per second for 45 minutes solid today. Why wasn’t it blocked by protect?

    Why does protect only have a whitelist and not a blacklist (more useful I would think, I still want to stop hacking even from the networks I use myself, while there is no reason to allow known attackers!)

    Even though protect didn’t block this blatant attempted intruder it often blocks me by mistake. Sometimes I have to ssh tunnel through the local to even get in.

    There is something in WordPress that is blocking too many failed login attempts even when Protect is disabled that produces an error message like this:

    error message

    Where is this set or controlled from? This also gives me false positives on myself but not as much as Protect. It also failed to foil this legitimate attacker shown above.

    Can anyone explain?

    Thanks

    https://www.ads-software.com/plugins/jetpack/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Jeremy Herve

    (@jeherve)

    Jetpack Mechanic ??

    Protect should indeed catch the 2nd attempt, if it’s repeated, uses the same IP, and if it triggers a failed login attempt response from WordPress. Once the IP is flagged, it either gets a math fallback allowing it to try to log in again, or can’t even access the log in page at all and gets banned.

    The first attempt, however, didn’t hit your log in form and generated a 404 error, so Protect can’t catch that.

    Since something didn’t quite work on your site, could you send us more details about the site and the attempts via this contact form, so we can take a closer look?
    https://jetpack.me/contact-support/

    Thanks!

    Why does protect only have a whitelist and not a blacklist (more useful I would think, I still want to stop hacking even from the networks I use myself, while there is no reason to allow known attackers!)

    It does have a blacklist, but it’s a global one, shared among all Jetpack Protect users. Once an IP has been flagged on one site, it’s added to the blacklist so it can’t keep trying to log in on other sites.

    Would you like to have a local backlist as well, where you could provide additional IPs that only be flagged on your own site? That’s not possible at the moment, but that’s something we could consider.

    There is something in WordPress that is blocking too many failed login attempts even when Protect is disabled that produces an error message like this:

    error message

    This is most likely created by this plugin:
    https://www.ads-software.com/plugins/wp-limit-login-attempts/

    You can learn more about it in the article where this image appears:
    https://www.webhostinghub.com/help/learn/website/wordpress-tutorials/limit-login-attempts

    Thread Starter manuel38

    (@manuel38)

    Thank you for the info.

    I have contacted support as requested.

    Local blacklist would be nice.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Why isn't jetpack blocking thousands of login attempts?’ is closed to new replies.