[wp-hackers] Counting failed logins

[Owen Winkler]

Scott Merrill wrote:
> What would constitute an unauthorized capabilities promotion?  That is
> to say, how would your plugin know which promotions were authorized and
> which weren't?  Will Armor monitor the entire user's table for
> permissions, and "do something" when the state changes from one
> comparison to the next?

That's pretty much exactly what I had in mind.  I was thinking of 
possibly limiting it to sensitive capabilities, like edit_users, but I'm 
not sure if it wouldn't be better just to watch for general changes and 
then alert the admin to them.

Perhaps it could even store a backup of permissions, and in the event of 
an unauthorized change, email the stored admin with a URL to reverse 
those changes.  I'm dreaming up features, here.

> Should there be a record of security events stored in the database, so
> that an admin can review recent activity from inside the blog?  I don't
> know that it has much long-term value, but I know I generally despise
> getting email from my blog.  A long-running attack on a blog might serve
> as a DoS against the admin's email account, too.  Yuck.

Yeah, I'm not crazy about emails either.  Actually, I hacked that into 
this plugin when I saw Podz's message.

A rolling log would be easy to keep for a preset number of days/events. 
  It would be simple enough to view, too.

A comprehensive logger would also allow you to specify IPs to blcok 
based on logged activities.  So if someone tried to hack a login or 
somehow succeeded in changing security credentials, an admin could click 
a button to block all further access (via a scripted 412, or maybe a 402 
;)  ) from that IP.  That could be part of the plugin, too, a 
general-purpose IP-blocker with progressive settings like time-delay, 
easy netblock selection, error code selection, etc.

Owen