WordPress.org

Ready to get started?Download WordPress

Forums

Limit Login Attempts
Keeps Trying Lock Out My Server IP (10 posts)

  1. PositiveMostOfTheTime
    Member
    Posted 2 years ago #

    Hi,

    It doesn't happen everyday. But occasionally Limit Login sends me an email with a too many login attempts from my own server IP. It always includes the password attempted as 123123123...Any idea why this happens?

    http://wordpress.org/extend/plugins/limit-login-attempts/

  2. PositiveMostOfTheTime
    Member
    Posted 2 years ago #

    Also it happens after I've logged in to work on my site. Then later I will get the email as stated above. No I've never made a mistake when logging in...so it's not from me putting incorrect user and password info.

  3. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    Make sure you have correct setting for reverse proxy.

    If your site is behind a reverse proxy on the same computer (if you use Varnish for example) it will appear that all login attempts are from the server IP.

    Please check the information in the site connection option on the plugin settings page.

    (There shouldn't be any passwords in the notification email, I guess you mean "last user attempted")

  4. PositiveMostOfTheTime
    Member
    Posted 2 years ago #

    Hi Johanee,

    Thanks for the reply...yes I meant "last user attempted" I will check as suggested.

    Thank you...great plug in...do you have a site for donations?

  5. Vezado
    Member
    Posted 2 years ago #

    I'm getting the same thing on my site, but I've only had it occur once. I'm using "Simple Login Log" and noticed this yesterday. The username was 123123123123123, IP was my server, and user agent was WordPress/3.2.1; https://www.mydomain.org

    It was a failed login, but only 1 and didn't trigger a lockout like PositiveMostOfTheTime experienced.

    Reverse proxy settings are correct.

  6. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    Ok, interesting. I'll investigate this further.

    I assume the site is not behind a reverse proxy on the same server?

    Do you use HTTPS for the whole site, or only for login / admin?

    I do not actually think it is possible to spoof a HTTP connection using the target IP, so the login attempt is probably made from the server itself.

    Is it a shared server?

  7. Vezado
    Member
    Posted 2 years ago #

    Ok, interesting. I'll investigate this further.

    I assume the site is not behind a reverse proxy on the same server?

    I don't believe so, most IPs are correct in the log and it is detected as a direct connection by the plugin. I'm on the Dreamhost cheapo package and to my knowledge it is not a reverse proxy connection. Wouldn't the entire log be the server's IP if it was a reverse proxy and misconfigured?

    Do you use HTTPS for the whole site, or only for login / admin?

    The full site, using "WordPress HTTPS" plugin

    I do not actually think it is possible to spoof a HTTP connection using the target IP, so the login attempt is probably made from the server itself.

    Is it a shared server?

    Yes

  8. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    Yeah, probably no proxy we need to be concerned about.

    Is it shared IP hosting? Meaning you'll probably have a shared SSL for example.

  9. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    Do you have access to web server logs?

    Could you find (grep) for "wp-login.php"?

  10. Vezado
    Member
    Posted 2 years ago #

    SSL cert is private.

    I can get access.log files, what specifically should i look for there?

    Here's everything that happened during the time of that login fail:

    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:22 -0800] "POST /wp-login.php HTTP/1.0" 200 5443 "-" "WordPress/3.2.1; https://www.mydomain.com"
    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:22 -0800] "GET /?flnh3vwodn4nk8ny0fg4z52kh22kvw1rxjojri9h4qv4cchqd9eval(6kz6ppvuwerpohz3goze86cldgemku08ignzb5qcbd8ciakz9j HTTP/1.0" 403 3726 "-" "WordPress/3.2.1; https://www.mydomain.com"
    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:23 -0800] "GET /?ywolbotwzybj3pxjmc310h9ula5ckukjyc2z55dthpkf33uzo3base64(w0cp67rhxj0po0nyttg0x786wsydiesd3b4giku1bk3nw7jgc8 HTTP/1.0" 403 3726 "-" "WordPress/3.2.1; https://www.mydomain.com"
    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:23 -0800] "GET /wp-content/uploads/ HTTP/1.0" 302 3966 "-" "WordPress/3.2.1; https://www.mydomain.com"
    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:23 -0800] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.com%2Fwp-content%2Fuploads%2F&reauth=1 HTTP/1.0" 200 1819 "-" "WordPress/3.2.1; https://www.mydomain.com"
    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:24 -0800] "GET / HTTP/1.0" 302 3950 "-" "WordPress/3.2.1; https://www.mydomain.com"
    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:24 -0800] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.com%2F&reauth=1 HTTP/1.0" 200 1819 "-" "WordPress/3.2.1; https://www.mydomain.com"
    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:24 -0800] "GET / HTTP/1.0" 302 3966 "-" "WordPress/3.2.1; https://www.mydomain.com"
    xxx.xxx.xxx.xxx - - [29/Nov/2011:21:04:25 -0800] "GET /wp-login.php?redirect_to=https%3A%2F%2Fwww.mydomain.com%2F&reauth=1 HTTP/1.0" 200 1819 "-" "WordPress/3.2.1; https://www.mydomain.com"

    xxx.xxx.xxx.xxx being the IP of the server at that time

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic