[wp-hackers] Counting failed logins

ifelse wordswithstyle at gmail.com
Mon Dec 5 16:01:20 GMT 2005 

Following from this line of thought:
A brute force dictionary attack may be one of the possible lines of attack;
To prevent this and a (D)DOS, log all login attempts in an event table.

Now, before the display of the login screen, check if the number of
unsuccessful attempts in a given time unit exceeds some nominal figure (i.e.
> 100 attempts in a hour time window).

If this is the case, automatically set a 'red-button switch' (i.e. a value
in DB), send a single email to admin and send a http error code for all
subsequent login page requests (until this switch is manually unset/time
elapsed)?

Thoughts?

On 12/5/05, Owen Winkler <ringmaster at midnightcircus.com> wrote:
>
> Scott Merrill wrote:
> > What would constitute an unauthorized capabilities promotion?  That is
> > to say, how would your plugin know which promotions were authorized and
> > which weren't?  Will Armor monitor the entire user's table for
> > permissions, and "do something" when the state changes from one
> > comparison to the next?
>
> That's pretty much exactly what I had in mind.  I was thinking of
> possibly limiting it to sensitive capabilities, like edit_users, but I'm
> not sure if it wouldn't be better just to watch for general changes and
> then alert the admin to them.
>
> Perhaps it could even store a backup of permissions, and in the event of
> an unauthorized change, email the stored admin with a URL to reverse
> those changes.  I'm dreaming up features, here.
>
> > Should there be a record of security events stored in the database, so
> > that an admin can review recent activity from inside the blog?  I don't
> > know that it has much long-term value, but I know I generally despise
> > getting email from my blog.  A long-running attack on a blog might serve
> > as a DoS against the admin's email account, too.  Yuck.
>
> Yeah, I'm not crazy about emails either.  Actually, I hacked that into
> this plugin when I saw Podz's message.
>
> A rolling log would be easy to keep for a preset number of days/events.
>   It would be simple enough to view, too.
>
> A comprehensive logger would also allow you to specify IPs to blcok
> based on logged activities.  So if someone tried to hack a login or
> somehow succeeded in changing security credentials, an admin could click
> a button to block all further access (via a scripted 412, or maybe a 402
> ;)  ) from that IP.  That could be part of the plugin, too, a
> general-purpose IP-blocker with progressive settings like time-delay,
> easy netblock selection, error code selection, etc.
>
> Owen
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20051205/338df1a0/attachment.htm

More information about the wp-hackers mailing list