[wp-hackers] Counting failed logins
wordswithstyle at gmail.com
Mon Dec 5 16:01:20 GMT 2005
Following from this line of thought:
A brute force dictionary attack may be one of the possible lines of attack;
To prevent this and a (D)DOS, log all login attempts in an event table.
Now, before the display of the login screen, check if the number of
unsuccessful attempts in a given time unit exceeds some nominal figure (i.e.
> 100 attempts in a hour time window).
If this is the case, automatically set a 'red-button switch' (i.e. a value
in DB), send a single email to admin and send a http error code for all
subsequent login page requests (until this switch is manually unset/time
On 12/5/05, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> Scott Merrill wrote:
> > What would constitute an unauthorized capabilities promotion? That is
> > to say, how would your plugin know which promotions were authorized and
> > which weren't? Will Armor monitor the entire user's table for
> > permissions, and "do something" when the state changes from one
> > comparison to the next?
> That's pretty much exactly what I had in mind. I was thinking of
> possibly limiting it to sensitive capabilities, like edit_users, but I'm
> not sure if it wouldn't be better just to watch for general changes and
> then alert the admin to them.
> Perhaps it could even store a backup of permissions, and in the event of
> an unauthorized change, email the stored admin with a URL to reverse
> those changes. I'm dreaming up features, here.
> > Should there be a record of security events stored in the database, so
> > that an admin can review recent activity from inside the blog? I don't
> > know that it has much long-term value, but I know I generally despise
> > getting email from my blog. A long-running attack on a blog might serve
> > as a DoS against the admin's email account, too. Yuck.
> Yeah, I'm not crazy about emails either. Actually, I hacked that into
> this plugin when I saw Podz's message.
> A rolling log would be easy to keep for a preset number of days/events.
> It would be simple enough to view, too.
> A comprehensive logger would also allow you to specify IPs to blcok
> based on logged activities. So if someone tried to hack a login or
> somehow succeeded in changing security credentials, an admin could click
> a button to block all further access (via a scripted 412, or maybe a 402
> ;) ) from that IP. That could be part of the plugin, too, a
> general-purpose IP-blocker with progressive settings like time-delay,
> easy netblock selection, error code selection, etc.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wp-hackers