Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 4 years, 5 months ago by eveli.
-
AuthorPosts
-
AITpro AdminKeymaster
If the code was added successfully then yes no one except your IP address range should be able to access your login page. Post your root htaccess file code so I can see if it is correct.
convertmediaParticipantThis is what’s beneath “Your Current Root htaccess File” in the plugin. Correct?
[root htaccess code viewed and removed]AITpro AdminKeymasterThe code has been added correctly and is working correctly. When I tried to access your login page I was blocked/forbidden. See the screenshot below so that you can see what I am seeing. Maybe you are looking at previous Security Log entries? The Security Log is a plain text static log file so you will see older log entries logged by date/time.
convertmediaParticipantThe security log is updated to today and shows the attempted logins. Please view below:
AITpro AdminKeymasterOk I thought that may be what was happening. The Security Log entry is showing that I was blocked from being able to view/access your Login page. Anytime something is blocked/forbidden it is logged. I think maybe what you are thinking is that there should not be a log entry for this. Everything that is blocked/forbidden is logged. So everything is working correctly. I was blocked/forbidden from accessing your Login page and a Security Log entry was logged for that.
convertmediaParticipantOk so these aren’t logs of users entering information on the login page? These are alerts from them just trying to access that login page?
AITpro AdminKeymasterI tried to view your Login page and I was blocked. Since I was blocked a Security Log entry was logged for that.
convertmediaParticipantOk great. Must be working then! Thanks so much.
mendodevParticipantWhile I am working my way up the learning curve, I have very little understanding of exactly how BPS and the htaccess logs work. I know just enough to be dangerous. If this topic is discussed elsewhere, please point me in that direction.
I have BPS Pro with Brute Force Login Page Protection in the custom code in the .htaccess file. JTC Anti-Spam is also set up. I have verified on my .htaccess file that the Brute Force Login Protection code is in the file.
The type of Brute Force Login Page Protection used is the one that protects the Login page from SpamBots, HackerBots & Proxies that use Server Protocol HTTP/1.0 or a blank User Agent.
The logs are showing that one of my sites is having repeated break-in attempts averaging 14 per minute for the past few hours.
I have read the full 8 page post on “Protect Login Page from Brute Force Login Attacks.” On post #7032, it says,
“Automated Brute Force hacking scripts typically use cURL to GET your login page and then the script will start executing POST Brute Force password cracking. So if GET is blocked based on the HTTP/1.0 Server Protocol then the cURL GET is blocked/Forbidden before POST ever comes into play. In other words, this allows someone to prevent the first part (probe, recon, etc) of the automated Brute Force hacking method from even getting to the WordPress login page.”
Below is an example of one of the logged items. It shows REQUEST_METHOD: POST.
There is also an attempt at entering a username and password under REQUEST BODY.
[403 POST Request: January 17, 2016 - 12:59 pm] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 104.131.177.67 Host Name: canadattatv.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: POST HTTP_REFERER: REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT: REQUEST BODY: log=admin&pwd=pillow
Question 1: Is this just a log of a blocked event?
Question 2: With the JTC Anti-Spam in place how come some many rapid fire attempts can be made?
Question 3: is there any significance to the REQUEST_METHOD being POST?
Question 4: While it shows “Solution: N/A” is there anything else that should be done aside from whitelisting?Thank you
AITpro AdminKeymaster14 attacks per minute is a low level attack. A high level attack would be 100 login attempts per second (not minute). These days Brute Force Login attacks are a constant thing that go on all day, every day – 24x7x365.
1. Yep, that is a blocked Brute Force Login attempt.
2. You cannot stop hackers and spammers from trying and can only stop them from succeeding. 😉
An analogy for question #2 would be something like this: A Sniper (hacker) is shooting at you, but you are in an armored vehicle so the bullets are stopped by the armored vehicle (BPS Pro). You could of course radio in for an air strike to take out the Sniper, but other than that you cannot really stop the Sniper from shooting at you.
3. Just means that that particular attack is a POST attack vs a GET attack. GET attacks are more common than POST attacks.
4. The general idea is BPS blocked and logged the blocked attack so there is nothing else that needs to be done by you. If something legitimate was being blocked then you would need to create a whitelist rule to allow/whitelist whatever that is so it is no longer being blocked. Obviously you do not want to whitelist a hacker or spammer attack. 😉mendodevParticipantBeing new to BPS Pro and receiving the barrage of security log emails for this site has been disconcerting. Your explanation is most appreciated, as I now feel that I have a better understanding of the information in the log and feel a bit more at ease.
I like the armored car analogy! Also, interesting info on the frequency of a low level vs high level attack.
Thank you!
Saqueeb RajanParticipantHi there, just purchased this plugin so bare with me….I added the following code as per the instructions above and changed the IP address to my current one. I then tried to login from a different IP all together and was successful.
My understanding is that only the IP I enter will be allowed to Log into the wp-admin page? If this is so, am I doing something wrong?
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
rafaelmagicParticipantTry this one, add your public IP, website address and server IP:
# Protect wp-login.php from Brute Force Login Attacks <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from mysiteaddress.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
AITpro AdminKeymaster@ Saqueeb – It is not recommended that you use that particular Brute Force Login Attack code unless you are the only person that logs into your website (or of course a known number of other people/IP addresses). If you allow anyone to register and post comments on your website then do NOT use that Brute Force Login Attack code since it will block other folks from being able to register, login to your site to post comments.
If you are sure you want to use that particular Brute Force Login Attack code then make sure you are doing ALL of the Custom Code steps and also make sure you are doing them correctly.
1. Add whichever Brute Force Login Protection Code you want to use in this BPS Root Custom Code text box: CUSTOM CODE BRUTE FORCE LOGIN PAGE PROTECTION (add/edit the code and add the IP addresses you want to whitelist/allow if you are using the IP based protection code):
2. Click the Save Root Custom Code button
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.Saqueeb RajanParticipantThanks for the replies, Yes I am the only one who logs in. My site has no registered users etc! I tried the method above and still no luck, I was able to log in from a different IP altogether ..any other ideas?
-
AuthorPosts
- You must be logged in to reply to this topic.