[wp-hackers] Counting failed logins

ifelse wordswithstyle at gmail.com
Mon Dec 5 16:14:03 GMT 2005


Actually, I'll take back what I said... lack of sleep is not good for the
thought processes:) Sorry guys.

On 12/5/05, ifelse <wordswithstyle at gmail.com> wrote:
>
> Following from this line of thought:
> A brute force dictionary attack may be one of the possible lines of
> attack; To prevent this and a (D)DOS, log all login attempts in an event
> table.
>
> Now, before the display of the login screen, check if the number of
> unsuccessful attempts in a given time unit exceeds some nominal figure (
> i.e. > 100 attempts in a hour time window).
>
> If this is the case, automatically set a 'red-button switch' (i.e. a value
> in DB), send a single email to admin and send a http error code for all
> subsequent login page requests (until this switch is manually unset/time
> elapsed)?
>
> Thoughts?
>
> On 12/5/05, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> >
> > Scott Merrill wrote:
> > > What would constitute an unauthorized capabilities promotion?  That is
> > > to say, how would your plugin know which promotions were authorized
> > and
> > > which weren't?  Will Armor monitor the entire user's table for
> > > permissions, and "do something" when the state changes from one
> > > comparison to the next?
> >
> > That's pretty much exactly what I had in mind.  I was thinking of
> > possibly limiting it to sensitive capabilities, like edit_users, but I'm
> >
> > not sure if it wouldn't be better just to watch for general changes and
> > then alert the admin to them.
> >
> > Perhaps it could even store a backup of permissions, and in the event of
> > an unauthorized change, email the stored admin with a URL to reverse
> > those changes.  I'm dreaming up features, here.
> >
> > > Should there be a record of security events stored in the database, so
> > > that an admin can review recent activity from inside the blog?  I
> > don't
> > > know that it has much long-term value, but I know I generally despise
> > > getting email from my blog.  A long-running attack on a blog might
> > serve
> > > as a DoS against the admin's email account, too.  Yuck.
> >
> > Yeah, I'm not crazy about emails either.  Actually, I hacked that into
> > this plugin when I saw Podz's message.
> >
> > A rolling log would be easy to keep for a preset number of days/events.
> >   It would be simple enough to view, too.
> >
> > A comprehensive logger would also allow you to specify IPs to blcok
> > based on logged activities.  So if someone tried to hack a login or
> > somehow succeeded in changing security credentials, an admin could click
> > a button to block all further access (via a scripted 412, or maybe a 402
> >
> > ;)  ) from that IP.  That could be part of the plugin, too, a
> > general-purpose IP-blocker with progressive settings like time-delay,
> > easy netblock selection, error code selection, etc.
> >
> > Owen
> >
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>


--
Phu | http://ifelse.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20051205/ebda4cad/attachment-0001.htm


More information about the wp-hackers mailing list