[wp-hackers] Counting failed logins
ringmaster at midnightcircus.com
Mon Dec 5 15:47:45 GMT 2005
Scott Merrill wrote:
> What would constitute an unauthorized capabilities promotion? That is
> to say, how would your plugin know which promotions were authorized and
> which weren't? Will Armor monitor the entire user's table for
> permissions, and "do something" when the state changes from one
> comparison to the next?
That's pretty much exactly what I had in mind. I was thinking of
possibly limiting it to sensitive capabilities, like edit_users, but I'm
not sure if it wouldn't be better just to watch for general changes and
then alert the admin to them.
Perhaps it could even store a backup of permissions, and in the event of
an unauthorized change, email the stored admin with a URL to reverse
those changes. I'm dreaming up features, here.
> Should there be a record of security events stored in the database, so
> that an admin can review recent activity from inside the blog? I don't
> know that it has much long-term value, but I know I generally despise
> getting email from my blog. A long-running attack on a blog might serve
> as a DoS against the admin's email account, too. Yuck.
Yeah, I'm not crazy about emails either. Actually, I hacked that into
this plugin when I saw Podz's message.
A rolling log would be easy to keep for a preset number of days/events.
It would be simple enough to view, too.
A comprehensive logger would also allow you to specify IPs to blcok
based on logged activities. So if someone tried to hack a login or
somehow succeeded in changing security credentials, an admin could click
a button to block all further access (via a scripted 412, or maybe a 402
;) ) from that IP. That could be part of the plugin, too, a
general-purpose IP-blocker with progressive settings like time-delay,
easy netblock selection, error code selection, etc.
More information about the wp-hackers