Many Wordpress "Login Failure Detected" (Rule 377306)

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Many Wordpress "Login Failure Detected" (Rule 377306)

Unread post by chrismcb »

Hi,

Just looking for anyone else's experience in this.

I have perhaps 30 Wordpress sites which, either recently, or simply showing up recently because of the new web application rules from ASL, are experiencing multiple failed login attempts from outside sources.

These are distributed by source and by destination - i.e. no IP attacks twice, even on a different domain

The ASL rules are alerting to this and the brute-force rule shuns repeated offenders, but is this sufficient?

I could raise 377306 to level 7 and shun all failed logins immediately, but then risk the onslaught of customer contacts as they are shunned when they enter their password in wrong.


Anyone else seeing this? And perhaps overcome it?


Thanks
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: Many Wordpress "Login Failure Detected" (Rule 377306)

Unread post by chrismcb »

No-one else came across this? Or is it just something everyone's happy to allow ASL to do it's thing on?
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Many Wordpress "Login Failure Detected" (Rule 377306)

Unread post by faris »

What's happening is that a botnet is being used to initiate the logins. This causes them to be from a number of different IPs. We see this a lot. It seems to be the latest stratergy to avoid the simple "fail2ban" sort of blocking.

It isn't just wordpress. They do the same thing for email and FTP. And no doubt other types of common script. We mitigate it by blocking south america, eastern europe and the far east at the firewall level - these are the places most of the IPs are for the botnets that target our machines.

The problem is simply that if each IP is different, you can't do anything about it other than prevent logins to the site from all IPs, which would not be good because the admin would then be unable to login.

The solution is simple. 1) Make the password un-guessable and 2) potentially use .htaccess to add a first-level block on the admin directory 3) if the script allows it, don't use common usernames like admin for the admin user.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
chrismcb
Forum Regular
Forum Regular
Posts: 293
Joined: Tue Nov 23, 2010 7:30 am
Location: Glasgow, UK

Re: Many Wordpress "Login Failure Detected" (Rule 377306)

Unread post by chrismcb »

Thanks Faris, yeah - I assumed a botnet.

I'll look into geo-blocking for the most common areas.
Don't think that should effect any clients...

As for the other tips - thanks - but the buck lies with the end-user's details.
I always configure accounts with secure passwords, but with their ability to change the password to something more memorable (i.e. guessable!), I wouldn't trust them!

The .htaccess idea is a good one too... will just need to figure out which would be the least noticeable and least work/confusion for clients.
craigedmonds
Forum User
Forum User
Posts: 26
Joined: Fri Feb 17, 2012 3:37 am
Location: Spain

Re: Many Wordpress "Login Failure Detected" (Rule 377306)

Unread post by craigedmonds »

Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?

One of the big issues is that there are ALOT amateur web designers out there posing as "professional" wordpress developers without any idea of wordpress security so they simply set up wordpress out of the box with the "admin" username etc.

Then the sites are getting hacked and they are pointing the finger at us saying our server is not secure!!!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Many Wordpress "Login Failure Detected" (Rule 377306)

Unread post by mikeshinn »

Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?
When you say greylisting, do you mean shunning or something else?
craigedmonds
Forum User
Forum User
Posts: 26
Joined: Fri Feb 17, 2012 3:37 am
Location: Spain

Re: Many Wordpress "Login Failure Detected" (Rule 377306)

Unread post by craigedmonds »

mikeshinn wrote:
Is there a way to configure the rule so that if there is more than 3 failed login attempts to the wordpress admin that the ip gets grey listed for 30 minutes?
When you say greylisting, do you mean shunning or something else?
I am not sure what "shunning" means but if they could be blocked for 30 minutes or some period of time, that would be good.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Many Wordpress "Login Failure Detected" (Rule 377306)

Unread post by scott »

Thats what shunning means. The default is 10 minutes, you can certainly increase that or even disable expiration completely.
Post Reply