WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] Feature request: Auto-block IP range (12 posts)

  1. Bozz
    Member
    Posted 1 year ago #

    Hi! Again thanks for the great plugin.

    We're finding we have to block IP ranges (via cpanel block IP range feature) rather frequently. It would be amazing if IP blocking was incorporated into this plugin. Either automatically triggered after X number or at least managed in the WP backend.

    Thanks for the consideration!

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hey Steve:

    LSS already does automatic blocking for network IP addresses. What do you gain by blocking them via cPanel/firewall/etc? Can you please clarify what you're seeking?

    Thanks,

    --Dan

  3. Bozz
    Member
    Posted 1 year ago #

    I didn't realize this -- is there a list of all blocked IPs somewhere? We've been receiving the SITE IS UNDER ATTACK emails and using the IP range to block the IPs via cpanel. I guess I don't understand when and how LSS does the blocking or how to review which IPs are blocked. Thanks!

  4. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    The data is stored in the <prefix>login_security_solution_fail table. The plugin doesn't have a user interface to view it, but you can run your own queries if you're curious.

    As long as the "Breach Email Confirm" is set to a reasonable number, attackers are blocked from actually getting in. In the unlikely event they do get lucky, LSS will force them out and require the actual user to verify their identity via the password reset process.

    The plugin's verbosity freaks people out. I've been scaling that back in recent releases. Right now emails are sent each time the attack count is a modulus of "Failure Notification" setting. Maybe I should just have one email go out when the threshold is reached and that's it. What do you think?

  5. Bozz
    Member
    Posted 1 year ago #

    Thanks for the thorough explanation. I would suggest adding to the email a notification that the IP range has been blocked permanently. I could understand from the email that the attempts were being delayed, it wasn't clear that any IPs were actually blocked.

    I personally find it interesting to learn whether an IP user tried 30 or 120 times (for instance)

  6. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    For the record, it's not a permanent ban. The length of time is determined by the "Match Time" setting.

    For the email preferences, perhaps I'll add an option for admins to choose if they want one notification or repeated notifications.

  7. Bozz
    Member
    Posted 1 year ago #

    This is the part that could use some clarification:

    The Login Security Solution plugin (0.30.0) for WordPress is repelling the attack by making their login failures take a very long time.

    Note it doesn't say anything about blocked IP, length of block, etc. -- just that the failures are taking a long time. More specifics here would be a welcome addition.

    Again, thanks for the fantastic plugin!

  8. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    The length of time is mentioned at the top of the email. If an attacker gets in, a separate email is sent explaining that they were booted out and the password reset.

    Are you suggesting the passage you quoted include some text saying something like "Don't worry, even if they do get in, they'll be immediately ejected."

  9. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    For the email preferences, perhaps I'll add an option for admins to choose if they want one notification or repeated notifications.

    This has been added in the new release, 0.32.0.

    There's also new text in the readme about how this plugin blocks attackers.

    Bozz: I'm still curious what you think about enhancements needed, if any, to the notification emails.

  10. Bozz
    Member
    Posted 1 year ago #

    Hi Daniel--

    Thanks for asking. I don't see anywhere in here that says "this IP is now blocked" -- only that the attempts are being delayed -- here is the full email I receive below.

    I'd be looking for something like "This IP is now blocked from logging in for xx (mins/days/weeks)"

    Your website, WEBSITE, is undergoing a brute force attack.
    
    There have been at least 160 failed attempts to log in during the past 120 minutes that used one or more of the following components:
    
    Component                    Count     Value from Current Attempt
    ------------------------     -----     --------------------------------
    Network IP                     122     111.222.333
    Username                       160     xxxx
    Password MD5                     1     xxxx
    
    The Login Security Solution plugin for WordPress is repelling the attack by making their login failures take a very long time.

    I really appreciate the continuous improvements, thanks Daniel!

  11. Bozz
    Member
    Posted 1 year ago #

    Over time it would be great to see permanent IP bans, and some sort of interface to manage them, incorporated into the plugin.

  12. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Steve:

    Release 0.33.0 includes some new text in the login failure notifications saying that the attacker will be blocked and that the given email will be the last one for the current attack. Both are conditional, being added or not depending on the settings in use at the time.

    I'd rather not complicate things with a permanent IP ban listing/UI. At least at this point.

    Thanks again,

    --Dan

    PS: when you get a chance, please give 0.33.0 a "works" vote.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.