WordPress.org

Forums

Limit Login Attempts
Possible flaw in 1.7.1 facilitating DoS (2 posts)

  1. chltx
    Member
    Posted 1 year ago #

    I'm getting DoS'd (4 times on one site, and I'm seeing evidence of another brewing on another site.

    Here's a strange chronology on a DoS I experienced this morning. Notice the time stamps on the emails. Appears to be a two-thread process attacking very close to the same time, and exceeding the limit I set for failed logins.
    WordPress
    2 failed login attempts (0 lockout(s)) from IP: 176.53.65.71 Last user attemp...
    11:04 AM (6 hours ago)
    WordPress
    2 failed login attempts (0 lockout(s)) from IP: 176.53.65.71 Last user attemp...
    11:04 AM (6 hours ago)

    At that point, it looks like the Zombie gave up, for 4 hours, then started trying login connections as fast as it could. By the time I was able to get the IP block into .htaccess, this IP had hit my host several thousand times.

    WordPress
    9 failed login attempts (3 lockout(s)) from IP: 176.53.65.71 Last user attemp...
    3:04 PM (2 hours ago)
    WordPress
    9 failed login attempts (3 lockout(s)) from IP: 176.53.65.71 Last user attemp...
    3:04 PM (2 hours ago)
    WordPress
    9 failed login attempts (3 lockout(s)) from IP: 176.53.65.71 Last user attemp...
    3:04 PM (2 hours ago)
    WordPress
    2 failed login attempts (0 lockout(s)) from IP: 176.53.65.71 Last user attemp...
    3:04 PM (2 hours ago)

    I have a honeypot user called "admin" with a very long random password. "admin" also has NO access to anything at all. It would be really cool if you could modify LLA to detect an attempt to log into a honeypot address and add that IP to the .htaccess deny list immediately.

    https://wordpress.org/plugins/limit-login-attempts/

  2. rick111
    Member
    Posted 1 year ago #

    A honeypot will help only if you want to trace what he is doing in the network, it is like a trap. You actually do not need one, it is irrelevant. It seems that he is using some tool with parallel connections Even if you put the IP in the .htaccess, he may change it with a tool like ToR. You .htaccess can get so bug in one day that it will take your site down.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Limit Login Attempts
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic