WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] Locked out if Attacked (13 posts)

  1. The Beholder
    Member
    Posted 2 years ago #

    My site just underwent a brute force attack and I discovered a problem with your plugin.

    Because it was a brute force attack, when I tried to login (different IP address than the attack), Login Security Solutions wanted to reset my password. This is fine in theory, but then LSS thought my site had been hacked because of the attack, so it tried to have me reset my password again...

    Now, I disabled the plugin and was able to login, enabling Login Lockdown to prevent such thing in the future, but If the attack never stops, how can one login and fix things if your plugin stops you from rightfully logging in? Maybe you should track the last successful IP addresses, of if they change IP addresses and login correctly then allow it, of lockout an attacking IP address like login lockdown.

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Beholder:

    The plugin does not change passwords just because an attack is taking place. It only changes a user's password if, upon the specific user logging in, the user name, passsword and/or network component of the IP address match those used by the attacker during the past "Match Time" minutes. The attacker was probably coming in with your user name. What's your user name?

    You mentioned having to change your password twice. Were both times right after logging in? That would mean the attack is ongoing.

    IP addresses can't be relied on for much. Attackers can forge or change IPs. Users come in from different places. I'll think about remembering existing user's IP's.

    Thanks,

    --Dan

  3. The Beholder
    Member
    Posted 2 years ago #

    Yes, that was my point. If the attacker is hitting any account, it makes it impossible to login, even if you request a password change.

    In my case I had 559 attempts in 120 minutes. When I realized it was happening, I tried to login after a password change but, because there were 500+ attempts in the cue, I was still locked out.

    The way LLS works, I'd have to wait 120 minutes after the attack finished before I could login because the cue would say an attack was going on.

    As things stand, the only ways around this is to have a "secret" admin account backdoor (not the best solution as two access points are worse than one), disabling the plugin to login, or waiting for the attack to finish and the cue to expire (which seems silly for an auto attack which may never need to finish).

    BTW, the attacking IP address was faked, but it didn't change throughout the attack.

    Login lockdown should eliminate this particular attack as it will temporarily shutdown the IP address, but it won't do anything if they randomize the incoming IP address.

  4. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    I see there are a couple Catch 22's in the code. I'll work on them.

  5. kyferez
    Member
    Posted 2 years ago #

    Yes, I just had this exact same situation. Also, I just updated to v0.17.0

    However I found the attack against my admin account had ended, so I tried to login again. It required password change. Done. Tried to login again and it sees that login as an intrustion and logs me back out. Then I try to login and it requires a password change. Thus begins the infinite loop.

    The primary problem here is that when the password is changed, it needs to (but fails to) reset whatever database field is set to tell the system my account is being attacked.

    Does that make sense?

  6. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    This problem has been addressed in release 0.18.0. Thanks for the report. Please let me know how it goes.

  7. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Folks:

    Sorry to be so crass, but could y'all please be so kind as to rate this plugin, give it a "works" vote, and make a donation? It'd be a big help.

    Thanks,

    --Dan

  8. billybitmap
    Member
    Posted 1 year ago #

    I'm having a similar problem.

    I just installed the plugin today. (I have a multisite installation. My username is not "admin".)

    After I change my password the plugin starts to get suspicious. I'm using a static IP address and I did a little testing earlier in the day. The plugin thinks that someone with my ID and IP address has failed to authenticate 11 or 12 times in the last couple hours, so it bugs out.

    That's completely understandable.

    I reset my password using the email link that the plugin sends me. However, when I try to log in with the new password, it just tells me the same thing as before and tries to make me change my password again.

    Need some advice here. :)

  9. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Billy:

    Since you did the testing from the same IP address you're trying to log in from, the LSS thinks you're an attacker. And rightfully so. That means the password reset process isn't going to help you.

    If you have the ability to run queries directly against the database, you can drop the records in the login solution fail table.

    --Dan

  10. billybitmap
    Member
    Posted 1 year ago #

    Thanks Dan.

    I waited and was able to update my password and log in after the test entries were outside the default 120 minute window.

    To help avoid lockouts at work, I've upped the threshold for locking out an account to 50 (instead of 6). I figure I can probably reduce it again later, after we get everything running smoothly.

    Thanks for getting back to me. I appreciate it.

  11. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Billy: Glad it's sorted out. When you get a chance, ratings, "works" votes and financial contributions are always appreciated, please. --Dan

  12. pha3z
    Member
    Posted 1 year ago #

    Hey Dan,

    You mentioned IP forgery is a real threat. So what happens if an attacker forges a wide set of legitimate IPs? Real users from the legitimate IPs end up getting blocked?

    Exactly how does this IP forgery work anyway? Because if the IP is forged, how could the server even be able to communicate back to the source of forgery? The guy at the other end wouldn't be able to get a response.

  13. Daniel Convissor
    Member
    Plugin Author

    Posted 1 year ago #

    Pha3z: You're correct. And yes, a forgery won't get a reply, but one doesn't need a reply to wage a DDOS or login attack. --Dan

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.