WordPress.org

Ready to get started?Download WordPress

Forums

Limit Login Attempts
SCARY! Limit Login Attempts lockout bypassed? (42 posts)

  1. JamesBB
    Member
    Posted 2 years ago #

    Hi there!

    Yesterday I got brute force attacks on my site and although I had "Limit Login Attempts" (v1.6.2) activated, the same IP could go on trying login (?)
    I got mail alerts, telling me the IP number was locked out but it seems the guy (bot?) could go on immediately trying from the same IP just ignoring the plugin (?)

    All the mails below arrived with and at the same time.
    Even if it was my mail server did not do the job, how can emails still keep on coming when the IP is supposed to be locked out twice for 6 hours? Please see below:

    ***********************************
    3 failed login attempts (1 lockout(s)) from IP: 94.73.238.234
    Last user attempted: admin
    IP was blocked for 45 minutes
    -----------------------------
    6 failed login attempts (2 lockout(s)) from IP: 94.73.238.234
    Last user attempted: admin
    IP was blocked for 6 hours
    -----------------------------
    3 failed login attempts (1 lockout(s)) from IP: 94.73.238.234
    Last user attempted: admin
    IP was blocked for 45 minutes
    -----------------------------
    6 failed login attempts (2 lockout(s)) from IP: 94.73.238.234
    Last user attempted: admin
    IP was blocked for 6 hours
    -----------------------------

    ALL THE MAILS ABOVE ARRIVED IN MY MAILBOX AT THE SAME TIME WITH SAME DATE AND HOUR.
    So if Limit Login Attempts worked, how can that happened?
    There should have been more than 12 hours in between the first and last lockout(!)

    I use WP 3.2.1 and just updated LLA plugin from v1.6.2 to v1.7.0.
    I of course finally excluded the concerned IP with others in my HTACCESS file but I am wondering now if Limit Login Attempts plugin can be bypassed by some shady technique?

    What if the guy (bot) retry again tonight from another IP? Can this finally damage my database?

    THANK YOU for your help and concern!

    Jamy

    http://wordpress.org/extend/plugins/limit-login-attempts/

  2. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    Hi,

    As far as I know there is no way to get around the enforcement, so I would be really interested in investigating this further.

    Do you have any kind of access log for the time period to show what access the IP in question was doing?

    Do you otherwise get working lockouts?

    Would you be willing to run a version of the plugin with some extra checks to help us understand what is happening here?

    Please contact me at johan.eenfeldt@kostdoktorn.se to investigate this further.

  3. JamesBB
    Member
    Posted 2 years ago #

    Hi Johan,

    THANK YOU very much for your quick answer/concern.
    Yes I could not believe that too especially I tried to lockout myself a week ago and everything worked perfect.

    I am currently investigating to see if I can get more elements...
    I keep your email and will inform you about that.

    Thanks again!
    Jamy

  4. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    As there has been no further development for a week I'll mark this topic as resolved for now.

    If you have any further information please send me an e-mail.

  5. JamesBB
    Member
    Posted 2 years ago #

    Hi Johan,

    I tried to get more elements about what happened but unfortunately could not get much more...
    In the meanwhile I had banned a full range of IP from Russia which I guess hosts a certain number of non protected servers used by bots, etc...
    I also increased my lockout time to 120 minutes (after 3 wrong passw)

    I was waiting to see if this situation would occur again but did not see anything coming until now.
    So right now I'm in standby. If anything happens again I should have more elements and I will install the plugin with some extra checks.

    I keep you informed and will drop you an email if anything similar happens again.
    THANK YOU very much for your quick answer/concern!

    J.

  6. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    I've finally found an explanation for this.

    There was a bug that allowed an attacker to keep trying "auth cookies" even during lockout.

    See changelog of new release for more details.

    And thank you for the report which started this.

  7. Simon Wheatley
    Code for the People
    Posted 2 years ago #

    Hi Johan,

    Thanks for getting onto this issue quickly. I think I've found a minor misunderstanding in the fix code relating to action priorities. WordPress handles actions on a single hook in ascending order of priority index; so functions which hook an action at a priority of 1 get run before functions which hook an action at a priority of 10.

    Here's some code to test that assertion:

    function test_plugins_loaded_99999(  ) {
    	error_log( "Priority was 99999" );
    }
    function test_plugins_loaded_0(  ) {
    	error_log( "Priority was 0" );
    }
    add_action( 'plugins_loaded', 'test_plugins_loaded_99999', 99999 );
    add_action( 'plugins_loaded', 'test_plugins_loaded_0', 0 );

    Here's a snippet from my error log in running WordPress with those actions in a plugin:

    [06-Jun-2012 11:45:52 UTC] Priority was 0
    [06-Jun-2012 11:45:52 UTC] Priority was 99999

    In the code comment on limit_login_handle_cookies you explain "Must be called in plugin_loaded (really early) to make sure we do not allow auth cookies while locked out." However this function is hooked on the plugins_loaded action with a priority of 99999, which means it's actually running really late. As I understand it, this would only cause an issue if other plugins were doing things with cookies/auth on the plugins_loaded hook…?

    Hope this all makes sense, and thanks again.

    Best regards,

    Simon

  8. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    Hi,

    You are right, somewhat. I'll fix up the priority, but as you say it does not really matter. The important thing is that it runs during the plugins_loaded action instead of the init action. The later is after WP core first parse the auth cookie. That was the bug introduced in 1.6.2.

    The comment is supposed to describe the fact that the plugins_loaded action is the earliest standard action available.

    I'll continue looking as this. We might still have teoretical trouble if a plugin or theme uses certain functions on their file load.

  9. M Asif Rahman
    Member
    Posted 2 years ago #

    It seems resolved after version 1.7.1 released.

    But Still multiple try could happen, maybe just bypassing auth cookie.

    How about keeping IP and username in table? and block IP in the first place after lockout?

    And about site behind proxy?

  10. dankrosso
    Member
    Posted 2 years ago #

    Using 1.7.1 of the plugin and I too have experienced a similar issue to the original poster, in that last night I received almost 60 attempts from the same IP address to login to my site.

    This despite only allowing 3 retries...

    The plugin seems to do its fundamental job, but something is clearly not working as intended when it comes to locking users/bots out after a certain number of tries?

  11. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    Can you check what urls was attempted from the access log?

    Do you still get attempts? Would you be willing to run some testcode to figure out what is going on?

  12. dankrosso
    Member
    Posted 2 years ago #

    It looks like my /wp-login.php page took a hammering.

    I've had it happen again this afternoon at 16:49 BST. Twelve attempts from the same IP address at the same time.

    Yes, I would be willing to run some testcode.

  13. JamesBB
    Member
    Posted 2 years ago #

    Hello Johan,

    Like dankrosso, I also had another Brute Force Attack last night while using plugin's latest version (v1.7.1)
    I did email you all the elements I have right now in order to help finding out.

    Thank you.
    R.

  14. johanee
    Member
    Plugin Author

    Posted 2 years ago #

    I'll be working on this tomorrow afternoon CET (no computer access right now).

  15. bcwp
    Member
    Posted 2 years ago #

    Thanks for looking into this. I manage several WordPress websites across different hosts, and I've noticed a huge increase of brute force attacks in the last week against all of my sites.

    I use the Limit Login Attempts plugin on each of them, and I've noticed that some IPs continually circumvent the lockout period.

    They're always targeting the "admin" account, which I never leave as "admin". I know they're using proxy servers, and it's probably one or two people behind 99% the attacks we're seeing, but we should at least force them to exhaust their allocated IPs.

    A cool "opt-in" feature for Limit Login Attempts would be a master log that keeps track of all the locked-out IPs from all of the participating websites. If we could boil it down to a specific set of distinct addresses in a given period of time, we would know which IPs to block, even before they attack. Plus, we'd have a better chance of reporting these guys to the authorities.

    Yes, they could always get another block of IP addresses or change proxy providers, but at least they'd have to work harder.

  16. JamesBB
    Member
    Posted 2 years ago #

    Hi everyone!

    Maybe not the exact place to discuss about options etc but subject and plugin are so interesting we might have one day to open a forum somewhere :-)

    Just to say that exclusion of IP can slow down annoyances but I didn't find this solution very efficient after working on this...
    I have several VBulletin forums and it is unfortunately the most attacked forum script on the market especially as one must pay a consequent amount of money to remove their famous "Powered by VBulletin" line :-(
    Displaying their brand acts like a strong call message saying "Try hacking/spamming me!" :-(
    Now some VB forums ask users to fill up to 4 different types of Captcha to avoid bots (write what you see, answer a question, calculate this, give the time on the clock)...Woow when shall we need to fill a form with our mobile number then answer to an SMS? Bots really succeeded in bothering others so much...

    So during almost 1 year I regularly worked on tracking bots and spams in order to establish an accurate IP ban list for my HTaccess.
    I used many tools including the convenient "Who's online" inside VBulletin which shows like a live stats script who is trying to see/do what and when. I could see (in live!) bots trying to bypass the captcha and trying to login, etc...

    Well my conclusion is that although there are of course some regions (Russia, Ukraine, etc) that can be totally banned as too many servers over there are used for hack/spam etc, it is also a tough job to block ips as bad guys are constantly moving trying to use any weakness in a server and launched their attack from there.
    Moreover I don't see how/where we can report these guys or IPs...I mean already multi-dollar companies with a bunch of lawyers can hardly stop anyone harming them online. So yes it can slow down but...

    I do believe the strongest protection right now would be to correct the (recent) failure of "limit login" plugin to be bypassed by some bots.
    But yes a Master log would be a cool option and bcwp is right. Who is using admin as username today? Totally unsafe! So what about an "Exclude Admin user" option? (banning immediately any IP using "Admin" in username)...Just an idea! :-)

    A big THANKS to Johan for the precious time spent on this GREAT and USEFUL plugin!

  17. MyInternetScout
    Member
    Posted 2 years ago #

    I'm using the latest Limit Login Attempts... and have had over 1,100 brute force attacks over the course of the last 20 days (on two websites); originating from less than a dozen IPs. Also, the logging is completely inaccurate. Fortunately, I've hardened my site with other methods/practices creating layers of protection. However, this plugin is now as effective as a canoe made from a screen door.

    When should we expect a patch for this plugin? The option to limit attacks on a geographical level would be awesome...

    As someone who does WordPress presentations for other professionals, I can say a significant percentage (over 40% in Silicon Valley) of small businesses STILL use 'admin' as their user login name. "...but 'admin' is the WordPress default...," business owners say to me, in just recent weeks.

    Why isn't Automatic or the WordPress Foundation addressing security flaw?? This is crazy. It doesn't have to be this difficult; and, being a security company isn't the business model for most of us.

  18. Daniel Convissor
    Member
    Posted 2 years ago #

    Hi Johan:

    I see the existing code is handling the auth_cookie_bad_hash action, but is not set up for the auth_cookie_bad_username action. So users are not protected against horizontal attacks, where the miscreant uses the same hash but changes user names. This is probably why your users are still having problems.

    That aside, it seems like you're doing way too much work with cookies in general. It's not necessary to clear out the cookie. If the person is an attacker, they're coming back with a different cookie anyway. If it's a legit user with a corrupted cookie (unlikely), WP won't let them, force them to log in again, at which point they get a new cookie.

    --Dan

  19. pixelyzed
    Member
    Posted 2 years ago #

    Hi there,

    I also am experiencing repeated brute force attacks with hundreds of attempts within minutes that the 1.7.1 version of the plugin is not blocking. Would be happy to provide any details necessary to track this down as it's getting tiresome to manually block IP adresses in cPanel which is pretty futile in the end.

    Thanks!

  20. MyInternetScout
    Member
    Posted 2 years ago #

    Hi Pixelyzed,

    Swap out limit logins for a new plugin, Login Security Solution. What I like most about this on is that if the hacker eventually breaches a user/password combination, it automatically logs the [unauthorized] user out and sends an email to the real account holder asking to change their password before logging in.

    Good luck, Pete.

  21. JamesBB
    Member
    Posted 2 years ago #

    Hi Johan?

    Any chances to find out what is going wrong?
    Thank you for your time!

    Jamy

  22. gurudas prabhu
    Member
    Posted 2 years ago #

    Hi Johan,

    I dont receive any email when there is any lockout. However, email system works with other plugins on my website(http://www.e-queries.com).

    Thanks
    Guru

  23. JamesBB
    Member
    Posted 1 year ago #

    @MyInternetScout
    A new plugin? But I am on WordPress v3.2.1 and it seems the plugin you are talking about only deals with WP v3.3 or higher :-(

  24. MyInternetScout
    Member
    Posted 1 year ago #

    JamesBB,
    You need to upgrade to WP 3.4.1. There are known security holes in every other older version. Is there a reason you haven't upgraded?

  25. Lucy88
    Member
    Posted 1 year ago #

    You can also easily ban IPs with this plugin: http://wordpress.org/extend/plugins/wp-ban/

  26. JamesBB
    Member
    Posted 1 year ago #

    @MyInternetScout
    Yes you are right but there always are new security holes as far as new code is added :-)
    Anyway WP 3.2.1 is a pretty stable and safe version.

    When you have a CMS type of site with hundreds of pages + many plugins and tuning, it's still a pain to upgrade every time there's a new release and make sure everything works perfect.

    Quite a few sites are also in the same situation and don't really feel to permanently update with all the risks of problems that could pop up. When something runs smooth and you see your stats going up every day with more users and more backlinks, I prefer to let it go for a while even if I don't have the latest bells and whistles. This is why for some sites I don't upgrade every time a new release goes out but maybe once a year...

    Hopefully most plugins at least supports WP3 versions not just the latest WP version that went out a few weeks ago.

    Cheers!
    J

  27. andersvinther2
    Member
    Posted 1 year ago #

    @JamesBB: The problem is that once new versions of WordPress are released the changes made are public information... i.e. it easy to see which security fixes have been made since, say, 3.2.1 and then exploit those...

    Ex: http://securitywatch.pcmag.com/none/301602-reuters-hacked-again-outdated-wordpress-blog-at-fault

    They use(d) version 3.1.1 but still...

  28. The problem is that once new versions of WordPress are released the changes made are public information... i.e. it easy to see which security fixes have been made since, say, 3.2.1 and then exploit those...

    Just to chime in for a bit, you've put the focus on what's not the problem for that specific instance: the problem was that they used an outdated version of WordPress and was compromised as a result.

    Sometimes a vulnerability is identified and patched before someone has apparently exploited it, and when those are discovered a patch is tested and released.

    But more times than not, someone reports something that already being exploited. Those patches are "Patch now or suffer the consequences!" and notifications are sent, your WordPress dashboard nags you, etc. There have been a few like that and that's a big reason why it's important to maintain your installation and software versions.

  29. JamesBB
    Member
    Posted 1 year ago #

    @andersvinther2 and @Jan Dembowski
    Yes I totally agree with you both and I even myself recommend to anyone around to keep everything updated, not only WordPress but browsers (Firefox, Chrome,etc) and whatever softwares.
    In the case I was referring to was a kinda "closed" CMS without people commenting, not as popular as big sites of course and quite different from the average blog...But anyway I agree, latest is best...

    Finally how much do they get every month these guys in Reuters to confess such rubbish: "Security Watch checked the HTML source code and found a line in the header code indicating the page had been generated using version 3.1.1. Mark Jaquith, one of the lead developers of WordPress, confirmed that was the case in an email."

    I mean this is the basic of basic known by any kid and beginners in WP blogging with recommendations published in thousands of posts/articles about WordPress security..."Remove the WP version in header"
    And supposed to be Pro guys in a well known company did not do anything about it? I guess they still use "admin" in their login :-) :-)
    Well sorry to say but they deserved to be hacked!

    Cheers!
    J

  30. shamratdewan
    Member
    Posted 1 year ago #

    hi, i am using limit log in plugin. but i been seeing login tries 50-60 times even though the IP is in lockouts list. for 3 times that and i put 3 lockouts to extended lockout time but it’s not working as well. can anybody suggest how its happening? What i can do? the IP that has done it 30 mins ago:
    Admin tried to log in to Mysite
    IP ns3.ehosting.biz | 195.190.13.158
    User agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)

    this guy tried more than 60 time in 10-15 mins duration. my lockout limit is 2 attempts
    Please help
    Thanks

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic