Nevermind – the ignore box wasn’t staying checked, so I disabled a caching plugin, unchecked, and re-enabled… It should be fixed, I’ll come back if not. In the last hour I’ve gotten 110+ lockouts, so fingers crossed. 🙂
@danielsantoro
Ah despite the fact that the issue seems to be resolved still some piece of advise.
I noticed the notification email reports a host as well as a user lockout (admin).
So the lockout notification emails are probably the result of invalid attempts to login with the admin account.
The iTSec plugin includes a feature (part of the Brute Force Protection feature) that immediately bans hosts trying to login using the admin account.
So it looks like this feature is not activated or is not properly configured in your env.
Goto the iTSec plugin Settings page and make sure the following settings are all enabled:
Global Settings
Write to Files [x] Allow iThemes Security to write to wp-config.php and .htaccess.
Blacklist Repeat Offender [x] Enable Blacklist Repeat Offender
Banned Users
Ban Users [x] Enable ban users
Brute Force Protection
Enable local brute force protection [x] Enable local brute force protection.
Automatically ban “admin” user [x] Immediately ban a host that attempts to login using the “admin” username.
Monitor the situation after making sure the above settings are enabled.
dwinden
Hi there,
I appreciate the response! Those settings were enabled – it looks like each of them is coming from different host IPs. Bots must just smell me out. 🙂
Still the notification email (as linked in your first post) indicates a temporary host and user lockout…
If the Automatically ban “admin” user setting is configured\working properly the notification email does not contain a temp host lockout …
The host is banned permanently so there should be no temp host lockout in the email.
Make sure you have (ban) entries like this in your .htaccess file:
# Ban Hosts – Security > Settings > Banned Users
SetEnvIF REMOTE_ADDR “^11\.111\.11\.1$” DenyAccess
SetEnvIF X-FORWARDED-FOR “^11\.111\.11\.1$” DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP “^11\.111\.11\.1$” DenyAccess
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DenyAccess
Require not ip 11.111.11.1
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
Deny from env=DenyAccess
Deny from 11.111.11.1
</IfModule>
dwinden
Never mind, it turns out the Automatically ban “admin” user setting works differently than I first thought.
I always thought hosts that do an invalid login attempt using the admin username were automatically and permanently banned (like added to the Banned Users list). So 1 invalid admin login attempt and wham the host is banned for life.
After looking at the code I now see that such hosts are automatically and temporarily locked out. And after 3 of such attempts (within 7 days) the host is finally banned (added to the Banned Users list).
So I guess the setting should be named ‘Automatically lockout “admin” user’. My apologies for the confusion.
Still a little bit weird. Makes more sense to ban immediately.
Now any host is allowed 3 login attempts using the (non existant) admin username …
dwinden
