doesn't repel brute force attacks
doesn't repel brute force attacks
Would you be so kind as to explain the scenario under which it doesn't work, please?
sorry - no
it would give any attacker an architectural background of our site.
Despite all settings attacker were still able to bounce off 80+ tries before we had to interfere manually. We think these attacks are cookie/jquery related since timing is very consistent and precise.
I was not asking for specific details about your site.
I'm looking for an outline of why you think LSS didn't work. Your saying the attackers were able to "bounce off 80+ tries before we had to interfere manually" is a start.
How many minutes did it take them to make those hits?
It seems you misunderstand what this plugin does. An explanation of the matter has been added to the FAQ, entitled "I just got hit with 500 failed logins! Why isn't this plugin working?!?" Check it out.
Just because something doesn't work the way you want it to doesn't mean it doesn't work. And it's certainly a lousy reason for doling out trash talk and one star ratings.
The FAQ has been updated with a section entitled "Will you provide lock outs / blocks in addition to slow downs?" It explains how this plugin works and how it actually blocks attackers.
Gotta love folks like P3air who shoot first, don't really understand, and don't even ask questions later. Nice drive by P3air!
it's a nice little plugin and who's using it and is happy with it, so be it. BUT: your plugin does NOT protect against BRUTE force attacks - just because you create a Q&A doesn't make it suitable -
mdSuess we hate to rain on to your parade, but you need to put your Kool-Aid aside and grow up. You have zero understanding what the real problem with this plugin is.
So, to give you guys a quick heads-up: Most of brute force attacks are jQuery driven: every 2 sec. a bounce against login/database. These attacks do not trigger the wp-login.php - they come direct ... Unless the hacker is an idiot and types in the password 3256 times into wp-login.php and hits enter - your plugin will not recognize the attack.
That may give you a clue where your fundamental flaw in your plugin is.
As we said in the beginning; It's a cool little plugin and who's using it and feels protected with it, great - if you run a serious site, don't use it. It gives you a false sense of protection.
Our $0.02 - PEACE
You must be new to open source etiquette P3air. You drop your load in a topic and don't provide any concrete details?
@P3air: Limit Login Attempts plugin protects good from brute-force. It limits login tries for specific number and this number is not enough to brute the password.
"+1" for "to rain on to your parade" quote :)
Most of brute force attacks are jQuery driven: every 2 sec. a bounce against login/database.
Thank you for finally explaining your scenario. Can you please provide a sample payload and the path (URI without domain) of such a request?
The reason I asked for a proof of concept is because I'm pretty sure this plugin already handles the scenario you're mentioning. The Login Security Solution checks all WordPress' authentication hooks, not just activity in wp-login.php.
It'd be great if you were actually interested in improving security by participating in the open source community.
You may say I'm a dreamer
But I'm not the only one
I hope someday you'll join us...
@P3air: I find your comments here really odd.
You downloaded a free plugin as you hoped it would do something for you.
You decided (rightly or wrongly) that it doesn't do what you wanted it to do.
You then come here and say "it doesn't work" without explaining in any way how you came to that conclusion.
The author then offers to fix the plugin so that it does work for you, but you just ignore that.
So, did you want a solution that works? Or do you just want to complain about something that you got for free?
Everyone here is concerned about web security. There is no such thing as complete security, other than turning your website off. The goal of open source (such as this plugin) is that we work together to make the security as good as possible. We invite you to be part of that solution. Please provide the author with some details that he can actually use to identify what you believe to be the problem so that he can then fix it.
@P3air: How about contributing an improvement to the plugin code to protect against the scenario your were in?
That is how open-source works. You improve the code for your needs and thereby help others in a similar situation.
If you just think some plugin works in a certain way it not automagically does.
Our contributions to open-source are that we risk to test plugins in a LIFE environment and give limited feedback.
By outing us in using certain plugins AND contributing even in the smallest amount of feedback we have a significant increase in hacking attacks towards our main site, i.e yesterday alone we had 60.000+ hits with brute force. In other words: Vicious wp coder are monitoring very closely forums and posts like this to skim off any useful and valuable information. We do not intend to make their 'trophy list'.
Plugins which we SUCCESSFULLY use over a certain period of time will receive good reviews and donations.
To all who are not satisfied with the details our feedback we are sorry, but that's all what you get.
We've found a free plugin which fits our needs. It is successful implemented since several months. To respect the effort of the author of this particular plugin we won't mention it here.
Good luck guys
Hi P3air: Please email me directly at email@example.com with any specifics you don't want the general public to see. That's how all open source projects handle sensitive data regarding security problems. Thanks.
OMFG P3air, get over yourself already. Reading your post we'd think that your wordpress site is a key national security infrastructure. It is in fact "just another wordpress site" among the millions.
Your general rudeness is only exceeded by your humorous paranoia that the brute force attacks are especially targeting your web site.
Brute force attacks are up everywhere and if you saw 60,000 hits come through to your webserver, then you are NOT doing everything you should to prevent and deny these. And in your spirit of not sharing details, I'm not going to tell you what you are missing, just that YOU ARE NOT DOING ENOUGH if you saw 60,000 hits. That's OBVIOUS.
So Apple, Twitter and the New York Times recently explained to the public that they've had security problems and what happened. But P3ear is too important to provide accurate information.
I assume P3air is talking about login attempts from XML-RPC requests. Version 0.37.0, released a moment ago, now monitors those. This hole was recently brought to my attention by another user. It could have been fixed months ago if P3air was more forthcoming. Oh, well.
@Dan - Thanks for fixing this issue and for being a real standup guy throughout this whole thread!
P3 Air DOESN'T WORK. BOOM. :P
Their flight school sucks, and I'm not going to tell you why.
This topic has been closed to new replies.