@p4c
First thing to check is on which web server (and version) your site is running.
You can find this info in the iTSec plugin Dashboard page.
Scroll down to the System Information metabox, Server Information section, Server Type.
The Web Server version is probably not displayed as a good hosting provider will prevent this info from being published.
dwinden
Thread Starter
p4c
(@p4c)
Hi,
It’s running on Apache version 2.4.10
@p4c
Ok good.
Next we need to make sure you have enabled all the required settings for users to be banned permanently in the .htaccess file. So here we go:
- Global Settings – Write to Files
- Global Settings – Blacklist Repeat Offender
- Banned Users – Ban Users
- Brute Force Protection – Enable local brute force protection
- Brute Force Protection – Automatically ban “admin” user
If any of these settings is not currently enabled, enable them now.
If banning is still not working after enabling all the required settings check your web server error_log for any errors.
Note that when banning an IP the iTSec plugin will normally add the following lines to the .htaccess file:
# Ban Hosts – Security > Settings > Banned Users
SetEnvIF REMOTE_ADDR “^192\.168\.111\.11$” DenyAccess
SetEnvIF X-FORWARDED-FOR “^192\.168\.111\.11$” DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP “^192\.168\.111\.11$” DenyAccess
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DenyAccess
Require not ip 192.168.111.11
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
Deny from env=DenyAccess
Deny from 192.168.111.11
</IfModule>
By default an IP will be banned after 3 (temporary) lockouts.
So it takes 3 invalid login attempts with the admin username to ban the IP. Any other user 3×5=15 invalid login attempts.
dwinden
Thread Starter
p4c
(@p4c)
Hi,
Thanks,
Allow iThemes Security to write to wp-config.php and .htaccess : Activated
Enable Blacklist Repeat Offender : Activated
Log Type : Database Only (you suggest file, is it necessary ?)
Enable ban users : Activated
Enable local brute force protection : Activated
Immediately ban a host that attempts to login using the “admin” username: Activated
I’ve several line that show that banner users is working :
# Ban Hosts – Security > Settings > Banned Users
SetEnvIF REMOTE_ADDR “^5\.105\.195\.148$” DenyAccess
SetEnvIF X-FORWARDED-FOR “^5\.105\.195\.148$” DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP “^5\.105\.195\.148$” DenyAccess
And
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
Deny from env=DenyAccess
Deny from 5.105.195.148
Deny from 37.130.227.133
Deny from 41.79.60.154
Deny from 46.119.125.177
….
on the error_log file, i don’t see any error, just :
[Fri Apr 29 07:32:04.896837 2016] [authz_core:error] [pid 3735] [client 210.213.148.170:11540] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php
[Fri Apr 29 07:36:46.041697 2016] [authz_core:error] [pid 3788] [client 182.56.248.139:21648] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php
[Fri Apr 29 07:38:03.117955 2016] [authz_core:error] [pid 4084] [client 46.236.154.82:55890] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php
[Fri Apr 29 08:22:10.974403 2016] [authz_core:error] [pid 6370] [client 155.133.82.108:43837] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php
[Fri Apr 29 08:33:16.641543 2016] [authz_core:error] [pid 7461] [client 78.48.39.184:54980] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php
[Fri Apr 29 09:00:50.710309 2016] [authz_core:error] [pid 9700] [client 92.85.162.221:49986] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php
[Fri Apr 29 09:13:17.336683 2016] [authz_core:error] [pid 9916] [client 41.200.247.67:41150] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php
[Fri Apr 29 09:50:41.384263 2016] [authz_core:error] [pid 12945] [client 93.157.175.168:51366] AH01630: client denied by server configuration: /var/www/69desirs/xmlrpc.php
And i’ve got maybe 300 request to try to log with admin account in maybe 10 minutes. So i think something is going wrong.
@p4c
Log Type : Database Only (you suggest file, is it necessary ?)
I didn’t suggest anything related to this setting … 😉
Ok, let’s go back to the beginning of this topic.
What makes you think the banning of IPs that try to login with “admin” user is not working ?
Based on the info provided in your last post banning IPs seems to be working fine.
The error_log clearly shows many IPs trying to access the xmlrpc.php file but being denied access. Probably because these IPs are listed in the Banned Users section of the .htaccess.
Do the IPs from .htaccess (Ban Users) and error_log correlate ?
I think you are suffering from an XMLRPC type Brute Force Attack which is distributed over many many many IP addresses.
So the iTSec plugin is doing its work but login attempts as “admin” user keep hitting your site from different IPs …
If your site does not need XMLRPC disable it in the WordPress Tweaks section of the iTSec plugin Settings page.
That will take care of the XMLRPC type Brute Force Attack.
dwinden
