Firewall treats connections from my desktop editor as “brute force”

Resolved ecdltf
(@ecdltf)

9 years, 2 months ago
Whenever I sync my desktop blog editor (MarsEdit) with my site NinjaFirewall’s xmlrpc Login Protection gets triggered. (It is set to “Yes, if under attack”). In the log it appears as…
```
09/Feb/15 05:49:09  #8738141  critical     -  xx.xxx.251.196   POST /xmlrpc.php - Brute-force attack detected on XML-RPC API - [enabling HTTP authentication for 5mn]
```
Actually I have to turn off the xmlrpc part of the Login Protection. (Or increasing the POST count threshold may work, too, I don’t know.)

But the blog editor is using valid credentials to login. In my terminolgy “Brute-force attacks” are a series of non-successful login attemps (password guessing etc.)?!

While it’s nice too see that the protection is actually working 🙂 I think POSTs that are made through valid logins shouldn’t qualify as “Brute-force attack”, no matter how much per minute are sent.

Don’t you agree?

—
Tom

https://wordpress.org/plugins/ninjafirewall/

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author nintechnet
(@nintechnet)

9 years, 2 months ago

Hi,

We cannot check whether it is valid or not as that would defeat the main purpose of the protection, which is to protect at the lowest level. Otherwise, WordPress would load (as well as its plugins), would send dozens of queries to the database and would make a few other operations/calculations.

However, the protection is quite flexible. The default values, 8 POST requests / 15s, is fine for most users. You may want to lower to 10s or increase to 10 POST requests. If you disabled it, check your HTTP log and you’ll see how many consecutive POST requests are sent from your desktop. You could adjust the protection accordingly.
If you have a static IP, you can whitelist it with the help of the “.htninja” configuration file (that file is processed before the brute-force attack protection).

Thread Starter ecdltf
(@ecdltf)

9 years, 2 months ago

Thanks for the fast and thorough reply!

Otherwise, WordPress would load (as well as its plugins), would send dozens of queries to the database

OK, I understand. (And that’s exactly why I like this plugin: it doesn’t seem to slow down my site. So, you’re right, we absolutely don’t want to trade in this advantage! (Go figure, before this, I’ve tried another firewall plugin which increased my page load time by 1.1s!))

You may want to lower to 10s or increase to 10 POST requests.

Yes, thanks, with 10 request per 15 seconds it goes through. According to the log it makes 1 request per 1.68 seconds.

8req/12s or 6req/9s works also. I guess the shortest one is the most sensible and thus preferable(?)

A strange thing I noticed:

When my desktop editor gets blocked it shows me a HTTP authentication dialog, saying that there is a second level protection. But it doesn’t accept the ID/PW (the one from Ninja).

Yes, the PW is correct; I made a test with the web browser (with the Login Protection forced to “Always”) and there the HTTP authentication (from Ninja) is accepted.

Plugin Author nintechnet
(@nintechnet)

9 years, 2 months ago

Hi,

Either one is fine.

Regarding the failed password, maybe your application is using/expecting HTTP Basic authentication ? But NinjaFirewall relies on cookies instead.

Thread Starter ecdltf
(@ecdltf)

9 years, 2 months ago

maybe your application is using/expecting HTTP Basic authentication ?

Yes, probably. (Besides that, it seems that this feature never really worked.)

Thanks again for the good support.

Best wishes

Thread Starter ecdltf
(@ecdltf)

9 years, 2 months ago

[resolved]

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Firewall treats connections from my desktop editor as “brute force”’ is closed to new replies.