Hi
What is your configuration in the “NinjaFirewall > Login Protection” page?
Always ON. Apply to xmlrpc.php as well.
If you don’t see any connection from the Live Log page, there must be something wrong.
What happens if you log out of WordPress and then try to access the admin login again? Do you get NinjaFirewall login page?
Also, do you have some HTTP log samples from the attack (just a few lines)?
I agree it doesn’t make any sense. There are lines logged to the live and firewall log, just nothing related to these attacks. I am still looking through the email headers and logs to find out more. Will post what I find.
Set it to “Yes, if under attack” and use these values:
-Protect the login page against POST request attacks (default).
-Password-protect it: For 5 minutes, if more than 2 POST requests within 10 seconds.
Then wait a bit and check the firewall log again.
I have set the settings as you suggested. The firewall log shows some hacker blocks. However, I have other security plugins (Sucuri, All-in-One, etc) installed that are alerting me to hack attempts from other IP addresses that don’t show up at all in the firewall log? How did those attacks get through the firewall?
That means it is working.
If you enable ‘Always ON’, the firewall will not log attacks because it will block any access to the login page, including yourself. But if you check your HTTP log, you will see that everyone is blocked and that WordPress isn’t even loaded.
If set to ‘Yes, if under attack’, the firewall will write to its log when the attack starts (it will not log each failed login attempt), e.g.: ‘Brute-force attack detected on xxxxx – [enabling HTTP authentication for 5mn]’. It will silently block all attempts for the next 5mn.
You would need to post here the log/alerts you received from other plugins so that I could see exactly what it is.
If the login protection is set to, for instance, ‘Password-protect it For 5 minutes, if more than 8 POST requests within 5 seconds’, the firewall will not block or log the first 7 attempts, but only the 8th one and all subsequent ones for the next 5 minutes. You may have a plugin that is sending alerts related to the first 7 attempts?
I have All-in-one plugin set to block brute force attacks after 5 attempts. I have NinjaFirewall set to block after 4 attempts. So NinjaFirewall should stop all attacks before All-in-One sees them. A few minutes ago I received the following notification from AIO:
A lockdown event has occurred due to too many failed login attempts or invalid username:
Username: admin
IP Address: 46.148.22.18
IP Range: 46.148.22.*
Log into your site’s WordPress administration panel to see the duration of the lockout or to unlock the user.
That IP address does not appear in the NinjaFirewall log at all. Also, there are no brute force preventions logged in the NinjaFirewall for that domain at all either.
Doesn’t seem like NinjaFirewall is blocking brute-force attacks.
It is written “A lockdown event has occurred due to too many failed login attempts or invalid username“. If you don’t have a ‘admin’ user, then it blocked it for that reason.
To me, your copy NinjaFirewall is working as expected.
The main issue is that you have too many security plugins managing your login page. That’s too much confusing and, as you can see, that makes your life more complicated rather than making it easier!
Does NinjaFirewall not protect against invalid usernames? I am trying to find a way to stop the brute force attackers from even being able to access my server. I have not yet found one plugin that will do it, so I am using 3.
No, it does not because that requires to load WordPress and the database. If you faced a large attack, that would kill the server.
If you turn the protection to “Always ON”, all accesses will be blocked and be prompted to enter the firewall login/password. That works better than any other protection, because WordPress is not loaded as long as the password is not correct.
