[wp-hackers] Counting failed logins
wordswithstyle at gmail.com
Mon Dec 5 16:14:03 GMT 2005
Actually, I'll take back what I said... lack of sleep is not good for the
thought processes:) Sorry guys.
On 12/5/05, ifelse <wordswithstyle at gmail.com> wrote:
> Following from this line of thought:
> A brute force dictionary attack may be one of the possible lines of
> attack; To prevent this and a (D)DOS, log all login attempts in an event
> Now, before the display of the login screen, check if the number of
> unsuccessful attempts in a given time unit exceeds some nominal figure (
> i.e. > 100 attempts in a hour time window).
> If this is the case, automatically set a 'red-button switch' (i.e. a value
> in DB), send a single email to admin and send a http error code for all
> subsequent login page requests (until this switch is manually unset/time
> On 12/5/05, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> > Scott Merrill wrote:
> > > What would constitute an unauthorized capabilities promotion? That is
> > > to say, how would your plugin know which promotions were authorized
> > and
> > > which weren't? Will Armor monitor the entire user's table for
> > > permissions, and "do something" when the state changes from one
> > > comparison to the next?
> > That's pretty much exactly what I had in mind. I was thinking of
> > possibly limiting it to sensitive capabilities, like edit_users, but I'm
> > not sure if it wouldn't be better just to watch for general changes and
> > then alert the admin to them.
> > Perhaps it could even store a backup of permissions, and in the event of
> > an unauthorized change, email the stored admin with a URL to reverse
> > those changes. I'm dreaming up features, here.
> > > Should there be a record of security events stored in the database, so
> > > that an admin can review recent activity from inside the blog? I
> > don't
> > > know that it has much long-term value, but I know I generally despise
> > > getting email from my blog. A long-running attack on a blog might
> > serve
> > > as a DoS against the admin's email account, too. Yuck.
> > Yeah, I'm not crazy about emails either. Actually, I hacked that into
> > this plugin when I saw Podz's message.
> > A rolling log would be easy to keep for a preset number of days/events.
> > It would be simple enough to view, too.
> > A comprehensive logger would also allow you to specify IPs to blcok
> > based on logged activities. So if someone tried to hack a login or
> > somehow succeeded in changing security credentials, an admin could click
> > a button to block all further access (via a scripted 412, or maybe a 402
> > ;) ) from that IP. That could be part of the plugin, too, a
> > general-purpose IP-blocker with progressive settings like time-delay,
> > easy netblock selection, error code selection, etc.
> > Owen
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
Phu | http://ifelse.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the wp-hackers