[wp-hackers] Limit Login Attempts

Michael Donaghy mike at donaghy.biz
Tue Apr 16 15:46:47 UTC 2013 

If anyone else is interested, this is what I'm doing to whitelist IPs in
apache.  The first allow is an example of an IP, and the second is higher
up in the IP block - this is useful for clients who's last number
frequently changes.

file: pre_virtualhost_global.conf

<Files wp-login.php>
order deny,allow
deny from all
allow from 11.22.33.44
allow from 11.22.33
</Files>
<Location /wp-admin/>
order deny,allow
deny from all
allow from 11.22.33.44
allow from 11.22.33
</Location>

On Tue, Apr 16, 2013 at 11:42 AM, Dre Armeda <dre at armeda.com> wrote:

> The most effective way to limit issues is at the edge. Unique passwords
> will thwart the attack from getting in, but that doesn't account for
> resource handling. If you can limit the amount of traffic from ever getting
> to the box, you're in a better place. Find out what your host is doing to
> limit larger scale brute force attacks, that's your best bet.
>
> Dre
>
>  Chip Bennett <mailto:chip at chipbennett.net>
>> April 16, 2013 12:39 PM
>>
>> "Does that overlook something important?"
>>
>> Well, unless you whitelist your own IP address to bypass the login
>> lockout,
>> then if the brute-force attack attacks your actual username, you could
>> find
>> yourself locked out of your own site.
>>
>> Another solution is to .htaccess whitelist your own IP address for
>> wp-login.php, but that may not exactly be a low-maintenance solution
>> (dynamic IP addresses, logging in from multiple locations/IP
>> addresses/devices, etc.).
>>
>>
>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> onlyunusedname <mailto:onlyunusedname at gmail.**com<onlyunusedname at gmail.com>
>> >
>> April 16, 2013 12:32 PM
>>
>> I've been using something similar to what Jesse describes: limiting
>> attempts based on username so that I may disregard IP. Does that overlook
>> something important?
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> Tom Barrett <mailto:tcbarrett at gmail.com>
>> April 16, 2013 12:30 PM
>>
>> Is there any way to set up a collective pool, a global 'limit login
>> attempts blacklist'?
>>
>>
>>
>>
>>
>> Chip Bennett <mailto:chip at chipbennett.net>
>> April 16, 2013 12:25 PM
>>
>> I agree that Limit Login Attempts is useful, and does block single-IP
>> brute-force attacks. (I use, and love, Limit Login Attempts.)
>>
>> But this particular botnet has demonstrated the ability to vary the IP
>> address used to brute-force a given site. That behavior, IIRC, has been
>> observed in the wild.
>>
>> My caution in adding Limit Login Attempts to core in response to this
>> attack is that it would give a false sense of security, WRT both
>> brute-force login attempts and DDoS.
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> Chris Williams <mailto:chris at clwill.com>
>> April 16, 2013 12:14 PM
>>
>> Because if you only allow each IP four (Five? Six?) login attempts per
>> day, you essentially stop them all.
>>
>> In my log analysis, it's not the case that each IP only makes a few
>> attempts. They try hundreds/thousands. Now they are hitting my block,
>> which requires a block of four attempts four times (16 total hits in a one
>> day period).
>>
>> If you look at the analysis on this, it all says something like "at 1000
>> attempts/minute it takes only N days to crack your short password". Well,
>> at 4 attempts/day, that number becomes millennia.
>>
>> More to the point, why NOT do this? It doesn't require everyone to change
>> their password. It doesn¹t require everyone to remove the "admin"
>> account. It doesn't require any changes at all, yet helps protect even the
>> most lax of password choosers.
>>
>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>

More information about the wp-hackers mailing list