Daniel Convissor
Forum Replies Created
-
Hey Steve:
LSS already does automatic blocking for network IP addresses. What do you gain by blocking them via cPanel/firewall/etc? Can you please clarify what you’re seeking?
Thanks,
–Dan
Hi:
The timeout message you’re seeing is coming from somewhere else. The Login Security Solution’s idle timeout message says “It has been over %d minutes since your last action.”
Good luck,
–Dan
Hi Bozz:
Nay. LSS focuses solely on user login related factors.
Thanks for the kind words. How is LSS working out for you on those production sites? Any particular feedback?
If you have a chance and the inclination, it’d be great if you can provide a rating, “works” vote, and/or donation, please.
Thanks,
–Dan
Okay. I sincerely think the odd behavior here is a fluke by the server. I’ll close this for now. If you’re able to reproduce it, please reopen this thread with more details.
Hi Dean:
Have you been able to reproduce the problem by “attacking” your site with the Bash script I sent?
–Dan
The settings screen is now translated. Thanks
Mermouy.Forum: Plugins
In reply to: [Login Security Solution] [Plugin: Login Security Solution] NOT RECOMMENDEDHi P3air:
It seems you misunderstand what this plugin does. An explanation of the matter has been added to the FAQ, entitled “I just got hit with 500 failed logins! Why isn’t this plugin working?!?” Check it out.
Just because something doesn’t work the way you want it to doesn’t mean it doesn’t work. And it’s certainly a lousy reason for doling out trash talk and one star ratings.
Thanks,
–Dan
Hi Jason:
Between seeing the list of emails in your inbox and reviewing my code I figured out what was going on. There’s a combination of expected (though undesirable) behaviors and a bug. Both have been fixed in the new release, 0.28.0.
When a successful login happens during an attack (whether by a legitimate user or an attacker) an email is sent to the admin and the user. Since you are both, you got two emails for each login. And the subject line of both emails was the same.
The subject line for the user notification email has been modified to differentiate them. Now the admin and user emails only go out if the user’s IP has not been verified and the number of failed attempts from the user’s IP address is over the “Breach Email Confirm” threshold. In addition, the user email message now provides the steps for verifying one’s email address to avoid future annoyance.
Thanks for all your help,
–Dan
Hi st0l1:
Donations are definitely appreciated. Ratings and adding “works” votes as new versions come out (assuming they still work, of course 🙂 are welcome as well.
Thanks in advance,
–Dan
For the record here, I’ve been working with Dean on this via back channels. So far, my test “attacks” on his site have been unable to reproduce the problem.
Jason:
The goal here is to figure out the correlation between those IP’s, failure times and the times of the password reset loops.
So what are those legit IP’s, what are the values in the verified IP metadata for each of you and what are the times of the reset loops?
–Dan
Jason:
When you look at the output of that second query for you and your associate’s user name, do you see any IP’s that are legitimately yours or theirs? Which ones?
I see some that look like they are and there is overlap between those of you and your associates.
Is there a pattern? What part of the output corresponds to when you folks were in the password reset loops?
What’s the output of the following. Does anything correspond to the above?
select user_login, meta_value
from wp_usermeta
join wp_users on (wp_usermeta.user_id = wp_users.ID)
where meta_key = 'login-security-solution-verified-ips';
Thanks,
–Dan
Jason:
There are large number of login failures for most of your user names. Run this query to see what I mean:
select count(*) as ct, user_login, min(date_failed), max(date_failed)
from wp_login_security_solution_fail
group by user_login;
To examine what’s happening to a specific user, execute this:
select count(*) as ct, user_login, ip, min(date_failed), max(date_failed)
from wp_login_security_solution_fail
where user_login = '<USER>'
group by user_login, ip
order by min(date_failed);
If you run the above query for a few users you’ll see there’s a pattern to the IP addresses, times and quantities. If
adminisn’t a legitimate account on your site, you can use that as a reference to IP’s that are attackers.Dom: The mysqldump command is to be run from a login shell, not an SQL command line. –Dan
If you have access to a shell:
mysqldump -u <mysql_user_name> -p <db_name> <prefix>login_security_solution_fail > lss.dom.sqlIf you don’t have access to a shell, you’ll have to ask your ISP.