SCARY! Limit Login Attempts lockout bypassed?

JamesBB
(@jamesbb)

11 years, 11 months ago

Hi there!

Yesterday I got brute force attacks on my site and although I had “Limit Login Attempts” (v1.6.2) activated, the same IP could go on trying login (?)
I got mail alerts, telling me the IP number was locked out but it seems the guy (bot?) could go on immediately trying from the same IP just ignoring the plugin (?)

All the mails below arrived with and at the same time.
Even if it was my mail server did not do the job, how can emails still keep on coming when the IP is supposed to be locked out twice for 6 hours? Please see below:

***********************************
3 failed login attempts (1 lockout(s)) from IP: 94.73.238.234
Last user attempted: admin
IP was blocked for 45 minutes
—————————–
6 failed login attempts (2 lockout(s)) from IP: 94.73.238.234
Last user attempted: admin
IP was blocked for 6 hours
—————————–
3 failed login attempts (1 lockout(s)) from IP: 94.73.238.234
Last user attempted: admin
IP was blocked for 45 minutes
—————————–
6 failed login attempts (2 lockout(s)) from IP: 94.73.238.234
Last user attempted: admin
IP was blocked for 6 hours
—————————–

ALL THE MAILS ABOVE ARRIVED IN MY MAILBOX AT THE SAME TIME WITH SAME DATE AND HOUR.
So if Limit Login Attempts worked, how can that happened?
There should have been more than 12 hours in between the first and last lockout(!)

I use WP 3.2.1 and just updated LLA plugin from v1.6.2 to v1.7.0.
I of course finally excluded the concerned IP with others in my HTACCESS file but I am wondering now if Limit Login Attempts plugin can be bypassed by some shady technique?

What if the guy (bot) retry again tonight from another IP? Can this finally damage my database?

THANK YOU for your help and concern!

Jamy

http://wordpress.org/extend/plugins/limit-login-attempts/

Viewing 15 replies - 16 through 30 (of 41 total)

← 1 2 3 →

Peter La Fond
(@myinternetscout)

11 years, 9 months ago

I’m using the latest Limit Login Attempts… and have had over 1,100 brute force attacks over the course of the last 20 days (on two websites); originating from less than a dozen IPs. Also, the logging is completely inaccurate. Fortunately, I’ve hardened my site with other methods/practices creating layers of protection. However, this plugin is now as effective as a canoe made from a screen door.

When should we expect a patch for this plugin? The option to limit attacks on a geographical level would be awesome…

As someone who does WordPress presentations for other professionals, I can say a significant percentage (over 40% in Silicon Valley) of small businesses STILL use ‘admin’ as their user login name. “…but ‘admin’ is the WordPress default…,” business owners say to me, in just recent weeks.

Why isn’t Automatic or the WordPress Foundation addressing security flaw?? This is crazy. It doesn’t have to be this difficult; and, being a security company isn’t the business model for most of us.

Daniel Convissor
(@convissor)

11 years, 9 months ago

Hi Johan:

I see the existing code is handling the auth_cookie_bad_hash action, but is not set up for the auth_cookie_bad_username action. So users are not protected against horizontal attacks, where the miscreant uses the same hash but changes user names. This is probably why your users are still having problems.

That aside, it seems like you’re doing way too much work with cookies in general. It’s not necessary to clear out the cookie. If the person is an attacker, they’re coming back with a different cookie anyway. If it’s a legit user with a corrupted cookie (unlikely), WP won’t let them, force them to log in again, at which point they get a new cookie.

–Dan

pixelyzed
(@pixelyzed)

11 years, 9 months ago

Hi there,

I also am experiencing repeated brute force attacks with hundreds of attempts within minutes that the 1.7.1 version of the plugin is not blocking. Would be happy to provide any details necessary to track this down as it’s getting tiresome to manually block IP adresses in cPanel which is pretty futile in the end.

Thanks!

Peter La Fond
(@myinternetscout)

11 years, 9 months ago

Hi Pixelyzed,

Swap out limit logins for a new plugin, Login Security Solution. What I like most about this on is that if the hacker eventually breaches a user/password combination, it automatically logs the [unauthorized] user out and sends an email to the real account holder asking to change their password before logging in.

Good luck, Pete.

Thread Starter JamesBB
(@jamesbb)

11 years, 8 months ago

Hi Johan?

Any chances to find out what is going wrong?
Thank you for your time!

Jamy

gurudas prabhu
(@gurudas-prabhu)

11 years, 8 months ago

Hi Johan,

I dont receive any email when there is any lockout. However, email system works with other plugins on my website(http://www.e-queries.com).

Thanks
Guru

Thread Starter JamesBB
(@jamesbb)

11 years, 7 months ago

@myinternetscout
A new plugin? But I am on WordPress v3.2.1 and it seems the plugin you are talking about only deals with WP v3.3 or higher 🙁

Peter La Fond
(@myinternetscout)

11 years, 7 months ago

JamesBB,
You need to upgrade to WP 3.4.1. There are known security holes in every other older version. Is there a reason you haven’t upgraded?

lucy88
(@lucy88)

11 years, 7 months ago

You can also easily ban IPs with this plugin: http://wordpress.org/extend/plugins/wp-ban/

Thread Starter JamesBB
(@jamesbb)

11 years, 7 months ago

@myinternetscout
Yes you are right but there always are new security holes as far as new code is added 🙂
Anyway WP 3.2.1 is a pretty stable and safe version.

When you have a CMS type of site with hundreds of pages + many plugins and tuning, it’s still a pain to upgrade every time there’s a new release and make sure everything works perfect.

Quite a few sites are also in the same situation and don’t really feel to permanently update with all the risks of problems that could pop up. When something runs smooth and you see your stats going up every day with more users and more backlinks, I prefer to let it go for a while even if I don’t have the latest bells and whistles. This is why for some sites I don’t upgrade every time a new release goes out but maybe once a year…

Hopefully most plugins at least supports WP3 versions not just the latest WP version that went out a few weeks ago.

Cheers!
J

andersvinther2
(@andersvinther2)

11 years, 7 months ago

@jamesbb: The problem is that once new versions of WordPress are released the changes made are public information… i.e. it easy to see which security fixes have been made since, say, 3.2.1 and then exploit those…

Ex: http://securitywatch.pcmag.com/none/301602-reuters-hacked-again-outdated-wordpress-blog-at-fault

They use(d) version 3.1.1 but still…

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

11 years, 7 months ago

The problem is that once new versions of WordPress are released the changes made are public information… i.e. it easy to see which security fixes have been made since, say, 3.2.1 and then exploit those…

Just to chime in for a bit, you’ve put the focus on what’s not the problem for that specific instance: the problem was that they used an outdated version of WordPress and was compromised as a result.

Sometimes a vulnerability is identified and patched before someone has apparently exploited it, and when those are discovered a patch is tested and released.

But more times than not, someone reports something that already being exploited. Those patches are “Patch now or suffer the consequences!” and notifications are sent, your WordPress dashboard nags you, etc. There have been a few like that and that’s a big reason why it’s important to maintain your installation and software versions.

Thread Starter JamesBB
(@jamesbb)

11 years, 7 months ago

@andersvinther2 and @jan Dembowski
Yes I totally agree with you both and I even myself recommend to anyone around to keep everything updated, not only WordPress but browsers (Firefox, Chrome,etc) and whatever softwares.
In the case I was referring to was a kinda “closed” CMS without people commenting, not as popular as big sites of course and quite different from the average blog…But anyway I agree, latest is best…

Finally how much do they get every month these guys in Reuters to confess such rubbish: “Security Watch checked the HTML source code and found a line in the header code indicating the page had been generated using version 3.1.1. Mark Jaquith, one of the lead developers of WordPress, confirmed that was the case in an email.”

I mean this is the basic of basic known by any kid and beginners in WP blogging with recommendations published in thousands of posts/articles about WordPress security…”Remove the WP version in header”
And supposed to be Pro guys in a well known company did not do anything about it? I guess they still use “admin” in their login 🙂 🙂
Well sorry to say but they deserved to be hacked!

Cheers!
J

shamratdewan
(@shamratdewan)

11 years, 7 months ago

hi, i am using limit log in plugin. but i been seeing login tries 50-60 times even though the IP is in lockouts list. for 3 times that and i put 3 lockouts to extended lockout time but it’s not working as well. can anybody suggest how its happening? What i can do? the IP that has done it 30 mins ago:
Admin tried to log in to Mysite
IP ns3.ehosting.biz | 195.190.13.158
User agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2) Gecko/20100115 MRA 5.6 (build 03278) Firefox/3.6 (.NET CLR 3.5.30729)

this guy tried more than 60 time in 10-15 mins duration. my lockout limit is 2 attempts
Please help
Thanks

Moondrop
(@moondrop)

11 years, 7 months ago

Same issue as shamratdewan has happened to me. The IP was locked out however, and login attempts stopped once it was locked. They were able to attempt 30+ logins, but I have the login attempt count set to 6.