[wp-hackers] Limit Login Attempts

Tue Apr 16 15:55:53 UTC 2013

Yea, that's one disadvantage.  I'm working on a small script/interface so
that they can whitelist their own IPs.

On Tue, Apr 16, 2013 at 11:52 AM, Chris Williams <chris at clwill.com> wrote:

> Great, except if your admins have variable IP addresses, or want to be
> able to manage the site when on the road, or have some emergency and need
> to get to the site from their phone, or ...
>
> On 4/16/13 8:46 AM, "Michael Donaghy" <mike at donaghy.biz> wrote:
>
> >If anyone else is interested, this is what I'm doing to whitelist IPs in
> >apache.  The first allow is an example of an IP, and the second is higher
> >up in the IP block - this is useful for clients who's last number
> >frequently changes.
> >
> >file: pre_virtualhost_global.conf
> >
> ><Files wp-login.php>
> >order deny,allow
> >deny from all
> >allow from 11.22.33.44
> >allow from 11.22.33
> ></Files>
> ><Location /wp-admin/>
> >order deny,allow
> >deny from all
> >allow from 11.22.33.44
> >allow from 11.22.33
> ></Location>
> >
> >On Tue, Apr 16, 2013 at 11:42 AM, Dre Armeda <dre at armeda.com> wrote:
> >
> >> The most effective way to limit issues is at the edge. Unique passwords
> >> will thwart the attack from getting in, but that doesn't account for
> >> resource handling. If you can limit the amount of traffic from ever
> >>getting
> >> to the box, you're in a better place. Find out what your host is doing
> >>to
> >> limit larger scale brute force attacks, that's your best bet.
> >>
> >> Dre
> >>
> >>  Chip Bennett <mailto:chip at chipbennett.net>
> >>> April 16, 2013 12:39 PM
> >>>
> >>> "Does that overlook something important?"
> >>>
> >>> Well, unless you whitelist your own IP address to bypass the login
> >>> lockout,
> >>> then if the brute-force attack attacks your actual username, you could
> >>> find
> >>> yourself locked out of your own site.
> >>>
> >>> Another solution is to .htaccess whitelist your own IP address for
> >>> wp-login.php, but that may not exactly be a low-maintenance solution
> >>> (dynamic IP addresses, logging in from multiple locations/IP
> >>> addresses/devices, etc.).
> >>>
> >>>
> >>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
> >>> ______________________________**_________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >>>
> >>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.a
> >>>utomattic.com/mailman/listinfo/wp-hackers>
> >>> onlyunusedname
> >>><mailto:onlyunusedname at gmail.**com<onlyunusedname at gmail.com>
> >>> >
> >>> April 16, 2013 12:32 PM
> >>>
> >>> I've been using something similar to what Jesse describes: limiting
> >>> attempts based on username so that I may disregard IP. Does that
> >>>overlook
> >>> something important?
> >>>
> >>>
> >>> ______________________________**_________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >>>
> >>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.a
> >>>utomattic.com/mailman/listinfo/wp-hackers>
> >>> Tom Barrett <mailto:tcbarrett at gmail.com>
> >>> April 16, 2013 12:30 PM
> >>>
> >>> Is there any way to set up a collective pool, a global 'limit login
> >>> attempts blacklist'?
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Chip Bennett <mailto:chip at chipbennett.net>
> >>> April 16, 2013 12:25 PM
> >>>
> >>> I agree that Limit Login Attempts is useful, and does block single-IP
> >>> brute-force attacks. (I use, and love, Limit Login Attempts.)
> >>>
> >>> But this particular botnet has demonstrated the ability to vary the IP
> >>> address used to brute-force a given site. That behavior, IIRC, has been
> >>> observed in the wild.
> >>>
> >>> My caution in adding Limit Login Attempts to core in response to this
> >>> attack is that it would give a false sense of security, WRT both
> >>> brute-force login attempts and DDoS.
> >>>
> >>>
> >>> ______________________________**_________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >>>
> >>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.a
> >>>utomattic.com/mailman/listinfo/wp-hackers>
> >>> Chris Williams <mailto:chris at clwill.com>
> >>> April 16, 2013 12:14 PM
> >>>
> >>> Because if you only allow each IP four (Five? Six?) login attempts per
> >>> day, you essentially stop them all.
> >>>
> >>> In my log analysis, it's not the case that each IP only makes a few
> >>> attempts. They try hundreds/thousands. Now they are hitting my block,
> >>> which requires a block of four attempts four times (16 total hits in a
> >>>one
> >>> day period).
> >>>
> >>> If you look at the analysis on this, it all says something like "at
> >>>1000
> >>> attempts/minute it takes only N days to crack your short password".
> >>>Well,
> >>> at 4 attempts/day, that number becomes millennia.
> >>>
> >>> More to the point, why NOT do this? It doesn't require everyone to
> >>>change
> >>> their password. It doesn¹t require everyone to remove the "admin"
> >>> account. It doesn't require any changes at all, yet helps protect even
> >>>the
> >>> most lax of password choosers.
> >>>
> >>>
> >>> ______________________________**_________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >>>
> >>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.a
> >>>utomattic.com/mailman/listinfo/wp-hackers>
> >>>
> >> ______________________________**_________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >>
> >>http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.au
> >>tomattic.com/mailman/listinfo/wp-hackers>
> >>
> >_______________________________________________
> >wp-hackers mailing list
> >wp-hackers at lists.automattic.com
> >http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>