[wp-hackers] Limit Login Attempts
Chris Williams
chris at clwill.com
Tue Apr 16 15:52:36 UTC 2013
Great, except if your admins have variable IP addresses, or want to be
able to manage the site when on the road, or have some emergency and need
to get to the site from their phone, or ...
On 4/16/13 8:46 AM, "Michael Donaghy" <mike at donaghy.biz> wrote:
>If anyone else is interested, this is what I'm doing to whitelist IPs in
>apache. The first allow is an example of an IP, and the second is higher
>up in the IP block - this is useful for clients who's last number
>frequently changes.
>
>file: pre_virtualhost_global.conf
>
><Files wp-login.php>
>order deny,allow
>deny from all
>allow from 11.22.33.44
>allow from 11.22.33
></Files>
><Location /wp-admin/>
>order deny,allow
>deny from all
>allow from 11.22.33.44
>allow from 11.22.33
></Location>
>
>On Tue, Apr 16, 2013 at 11:42 AM, Dre Armeda <dre at armeda.com> wrote:
>
>> The most effective way to limit issues is at the edge. Unique passwords
>> will thwart the attack from getting in, but that doesn't account for
>> resource handling. If you can limit the amount of traffic from ever
>>getting
>> to the box, you're in a better place. Find out what your host is doing
>>to
>> limit larger scale brute force attacks, that's your best bet.
>>
>> Dre
>>
>> Chip Bennett <mailto:chip at chipbennett.net>
>>> April 16, 2013 12:39 PM
>>>
>>> "Does that overlook something important?"
>>>
>>> Well, unless you whitelist your own IP address to bypass the login
>>> lockout,
>>> then if the brute-force attack attacks your actual username, you could
>>> find
>>> yourself locked out of your own site.
>>>
>>> Another solution is to .htaccess whitelist your own IP address for
>>> wp-login.php, but that may not exactly be a low-maintenance solution
>>> (dynamic IP addresses, logging in from multiple locations/IP
>>> addresses/devices, etc.).
>>>
>>>
>>> On Tue, Apr 16, 2013 at 11:32 AM, onlyunusedname
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>
>>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.a
>>>utomattic.com/mailman/listinfo/wp-hackers>
>>> onlyunusedname
>>><mailto:onlyunusedname at gmail.**com<onlyunusedname at gmail.com>
>>> >
>>> April 16, 2013 12:32 PM
>>>
>>> I've been using something similar to what Jesse describes: limiting
>>> attempts based on username so that I may disregard IP. Does that
>>>overlook
>>> something important?
>>>
>>>
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>
>>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.a
>>>utomattic.com/mailman/listinfo/wp-hackers>
>>> Tom Barrett <mailto:tcbarrett at gmail.com>
>>> April 16, 2013 12:30 PM
>>>
>>> Is there any way to set up a collective pool, a global 'limit login
>>> attempts blacklist'?
>>>
>>>
>>>
>>>
>>>
>>> Chip Bennett <mailto:chip at chipbennett.net>
>>> April 16, 2013 12:25 PM
>>>
>>> I agree that Limit Login Attempts is useful, and does block single-IP
>>> brute-force attacks. (I use, and love, Limit Login Attempts.)
>>>
>>> But this particular botnet has demonstrated the ability to vary the IP
>>> address used to brute-force a given site. That behavior, IIRC, has been
>>> observed in the wild.
>>>
>>> My caution in adding Limit Login Attempts to core in response to this
>>> attack is that it would give a false sense of security, WRT both
>>> brute-force login attempts and DDoS.
>>>
>>>
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>
>>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.a
>>>utomattic.com/mailman/listinfo/wp-hackers>
>>> Chris Williams <mailto:chris at clwill.com>
>>> April 16, 2013 12:14 PM
>>>
>>> Because if you only allow each IP four (Five? Six?) login attempts per
>>> day, you essentially stop them all.
>>>
>>> In my log analysis, it's not the case that each IP only makes a few
>>> attempts. They try hundreds/thousands. Now they are hitting my block,
>>> which requires a block of four attempts four times (16 total hits in a
>>>one
>>> day period).
>>>
>>> If you look at the analysis on this, it all says something like "at
>>>1000
>>> attempts/minute it takes only N days to crack your short password".
>>>Well,
>>> at 4 attempts/day, that number becomes millennia.
>>>
>>> More to the point, why NOT do this? It doesn't require everyone to
>>>change
>>> their password. It doesn¹t require everyone to remove the "admin"
>>> account. It doesn't require any changes at all, yet helps protect even
>>>the
>>> most lax of password choosers.
>>>
>>>
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>
>>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.a
>>>utomattic.com/mailman/listinfo/wp-hackers>
>>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>
>>http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.au
>>tomattic.com/mailman/listinfo/wp-hackers>
>>
>_______________________________________________
>wp-hackers mailing list
>wp-hackers at lists.automattic.com
>http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list