Home › Forums › BulletProof Security Pro › Login Security & Monitoring Help Info
Tagged: Login Monitor, Login Monitoring, Login Security
- This topic has 46 replies, 11 voices, and was last updated 8 years, 7 months ago by
SM.
-
AuthorPosts
-
AITpro Admin
KeymasterLogin Security & Login Monitoring Question Mark help button help information
Login Security Troubleshooting – https://forum.ait-pro.com/forums/topic/login-security-login-monitoring-read-me-first/#login-security-troubleshooting
Forum Help Links: Xternal Tools (XTF) Guide
If your User Account is locked and you are unable to login to your website use the BPS Pro Xternal Tools (XTF) Form (see Forum Help Links at the top of this Question Mark help window) to Turn Off Login Security. Login to your website, go to the BPS Login Security page, unlock your User Account and turn Login Security back On.
Max Login Attempts:
Type in the maximum number of failed login attempts allowed before a User Account is automatically Locked out. After making any setting changes click the Save Options button to save your new option settings.NOTE: The Max Login Attempts setting range is from 1 – 10. Minimum is 1 failed login attempt – Maximum is 10 failed login attempts. Setting this to 1 failed login attempt is NOT recommended. The default is 3 failed login attempts before locking the User Account.
Automatic Lockout Time:
Type in the number of minutes that you would like the User Account to be locked out for when the maximum number of failed login attempts have been made. After making any setting changes click the Save Options button to save your new option settings.Manual Lockout Time:
Type in the number of minutes that you would like the User Account to be locked out for when you manually lock a User Account using Lock checkbox options in the Dynamic Login Security form. After making any setting changes click the Save Options button to save your new option settings.Max DB Rows To Show:
Type in the maximum number of database rows that you would like to display in the Dynamic Login Security form. Leaving this text box blank means display all database rows. After making any setting changes click the Save Options button to save your new option settings.Enable Login Security for WooCommerce:
Check this checkbox if you have the WooCommerce plugin installed if you would like to use BPS Login Security on the WooCommerce custom login page. BPS Login Security will still continue to work normally on the standard WordPress Login page when you check this checkbox. This checkbox option setting is not for turning Login Security On or Off if you are using WooCommerce. Use the Login Security Turn On|Turn Off option to turn Login Security On or Off.Turn On|Turn Off:
Turn On Login Security or Turn Off Login Security or Turn Off Login Security and Use the Password Reset Option ONLY. The Turn Off Login Security|Use Password Reset Option ONLY setting means that all Login Security features are turned Off except for the Password Reset Option, which can be used independently by itself. After making any setting changes click the Save Options button to save your new option settings.Logging Options:
You can choose to Log All User Account Logins or Log Only User Account Lockouts. After making any setting changes click the Save Options button to save your new option settings. Important Note: If you switch the Logging Options: Log All Account Logins to Log Only Account Lockouts then be sure to delete any locked user accounts that you want to allow to be able to login or those Users will not be able to login until you delete those locked User Accounts.Error Messages:
Standard WP Login Errors: will display the normal WP login errors. Example1: ERROR: The password you entered for the username X is incorrect. BPS Example2: ERROR: This user account has been locked until May 14, 2013 9:31 am due to too many failed login attempts. You can login again after the Lockout Time above has expired.
User|Pass Invalid Entry Error: will display a generic Invalid Entry error message instead of displaying normal WP login errors for incorrect username or incorrect password, but if a user account is locked out then the BPS timestamp and Lockout Time error message will be displayed. Example: ERROR: Invalid Entry for either incorrect username or incorrect password. BPS Example2: ERROR: This user account has been locked until May 14, 2013 9:31 am due to too many failed login attempts. You can login again after the Lockout Time above has expired.
User|Pass|Lock Invalid Entry Error: will display a generic Invalid Entry error message instead of displaying normal WP login errors for incorrect username, incorrect password and when the user account is locked out – the BPS Lockout Time error message will NOT be displayed.
CAUTION: If the user account is locked out then no indication will be given that the user account is locked out and only a generic ERROR: Invalid Entry message will be displayed.Attempts Remaining:
You can choose to display a “Login Attempts Remaining X” message when an incorrect password is entered. X is the number of login attempts left/remaining before the User Account is locked. After making any setting changes click the Save Options button to save your new option settings.Password Reset:
The Enable Password Reset option will allow the normal WP Lost Password link to be displayed and allow locked out users to reset their passwords. The Disable Password Reset Frontend Only option disables the WP Login reset password feature and displays this error message – Password reset is not allowed for this user. This error message is displayed for valid or invalid user accounts or email addresses. In other words, there is no indication of whether or not a valid username or email address is being entered. This of course disables a lot of cool WordPress login features, but if you want complete Login Stealth Mode then this is the option for you. Disable Password Reset Frontend & Backend disables password reset on the frontend and backend (WP Dashboard) of your website.Sort DB Rows:
The Ascending Show Oldest Login First option displays logins from the oldest logins to your site to the newest logins to your site. The Descending Show Newest Login First option displays logins from the newest logins to your site to the oldest logins to your site. Example usage: Enter 50 for the Max DB Rows To Show option, which will show a maximum of 50 database rows/logins to your site and set Sort DB Rows option to Descending Show Newest Login First. You will see the last 50 most current/newest logins to your site in descending order.Reset|Clear Login Security Alerts:
If you choose to have Display & Alert Options Login Security Alerts displayed to you in your WP Dashboard or BPS Pro pages then to clear the alert you will need to click this button.Search feature:
The search feature allows you to search all of the Login Security database rows. To search for all Locked User accounts enter Locked, to search for a username enter that username, to search for an IP address enter that IP address, etc.Export|Download Login Security Table Tool:
The Export|Download Login Security Table tool exports (copies) the Login Security Table into the lsm-master.zip file, which you can then download to your computer by clicking the Download Zip Export button displayed in the Login Security Table Export success message. The lsm-master.zip file contains the lsm-master.csv file. The CSV (Comma Separated Values) file format can be opened with Microsoft Excel or other applications that can open/use CSV files. If you want to dump/export the Login Security Table in SQL format then use BPS DB Backup and dump/export the BPS Login Security Database Table: xx_bpspro_login_securityThe Dynamic Login Security Form:
You have 3 options: Lock, Unlock or Delete database rows. The Login Security database table is hooked into the WordPress Users database table, but they are 2 completely separate database tables. If you lock a User Account then BPS Pro will enforce that lock on that User Account and the User will not be able to log in. If you unlock a User Account then the User will be able to login. Deleting database rows in the Login Security database table does NOT delete the User Account from the WordPress Users database table. When you delete a User Account it is pretty much the same thing as unlocking a User Account. To delete actual User Accounts you would go to the WordPress Users page and delete that User Account.BPS Pro Video Tutorial links can be found in the Help & FAQ pages.
Display & Alert Options for Login Security & Monitoring
Dashboard Status and Alerting Options
Login Security: Login Security Status
Displays On or Off status of Login Security in your WP Dashboard, BPS Pages Only or turn this status display Off. It is recommended that you choose to display the LSM Status in your WP Dashboard.Login Security: Login Security Alerts
Displays Login Security Alerts in your WP Dashboard, BPS Pages Only or turn this status display Off. Choosing Turn Off Displayed Alerts turns Off Login Security Alerts. You can choose email alerting options instead if you do not want to see the WP Dashboard or BPS Pages Only Alerts.Email Alerting & Log File Options
Login Security: Send Email Alerts When…
There are 5 different email options. Choose to have email alerts sent when a User Account is locked out, An Administrator Logs in, An Administrator Logs in and when a User Account is locked out, Any User logs in and when a User Account is locked out or Do Not Send Email Alerts.The email alerts contain the action that occurred with Timestamp and these fields: Username, Status, Role, Email, Lockout Time, Lockout Time Expires, User IP Address, User Hostname, Request URI and URL link for the website where the action occurred.
Login Security Troubleshooting
Issue/Problem: Using 2 or more plugins that both do/have/use a Login Security feature and do something very similar.
Solution: You can only have 1 plugin feature handling login security otherwise there will be a conflict since both plugin features are doing something very similar. Choose one or the other Login Security feature in either plugin.
Note: All plugins that do login security were thoroughly researched before creating BPS and BPS Pro Login Security. Pretty much all plugins that are doing login security are using the exact same code (assuming the code was copied from an originating plugin and used in most other plugins that do login security). BPS and BPS Pro Login Security code is completely original and is using optimum login security methods without creating DoS and DDoS vulnerabilities exploit problems that were found in most other login security plugins. Obviously we recommend that you choose BPS or BPS Pro Login Security & Monitoring.
JM Nielsen
ParticipantHello,
I tried using the standalone Login Security Unlock User Account Form and it didn’t work. It took me to an error page on the site. I filled in all the proper info from the wpconfig.php file. Is there something else I can do? Please advise.
Thanks!
AITpro Admin
KeymasterOutdated info deleted – See BPS Pro XTF: http://forum.ait-pro.com/forums/topic/xternal-tools-xtf-guide/
JM Nielsen
ParticipantThanks the reply and the alternative method. I tried it but unfortunately after entering the username and password the screen went blank. Does this mean my site has already been hacked? The site still works, however. I just can’t get into the panel. Please advise.
Also, it seems as if I would be better off simply generating a 50 digit password with Lastpass and NOT turning on the log in security. Do you think this would be advisable, seeing may hackers are exploiting the WordPress panel log-in on me and bringing me so much pain? Could they ever crack a 50 digit password with all types of characters?
AITpro Admin
KeymasterYou would not be entering a username or password anywhere.
Outdated info deleted – See BPS Pro XTF
16 characters is fine. Anything past 16 characters is overkill. What is very important is not to display your username publicly. See these links below.
http://forum.ait-pro.com/forums/topic/are-we-protected-against-wp-scan/
http://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/JM Nielsen
ParticipantI did what you directed: using Filezilla FTP to change the /bulletproof-security plugin folder to /__bulletproof-security. BUT when I logged into the WP panel, started to go in and all I get is a blank screen on my browser. Has my siyte already been hacked, even though the site still works fine? I still can’t get in, and will need to fix this. Please advise. Thanks.
AITpro Admin
KeymasterSounds like this has nothing to do with BPS or BPS Login Security then. Try renaming your entire /plugins folder to /__plugins and see if you can log in. Maybe you have database damage? Also delete the .htaccess file in your website root folder and the .htaccess file in the /wp-admin folder and see if you can log in.
AITpro Admin
KeymasterAlso this is worth mentioning since I am seeing people stating this all over the World. Hosts are taking drastic measures in order to combat the ongoing Brute Force Login attacks. The Login page may be temporarily inaccessible due to whatever measure a Host might be using. There is no sign that the Brute Force Login attacks are slowing down. So each person should check with their Host to see if their Login page is temporarily being restricted before troubleshooting their website.
Schneider
ParticipantHi, I have enabled Login Security but in my logs still see login attacks happen (yesterday from the same IP and the user ‘admin’ there were 50 trys). To me it seems that Login Security is not working. My “normal” users get locked out though so I assume that you only log logins that are done via the login form. Are there any direct login API calls or whatever that are not monitored by BPS Pro? I had removed the “Limit Login Attempts” plugin but will now enable it again because this plugin correctly identifies those brute force login attempts and locks out the IP.
AITpro Admin
KeymasterWe are logging over 280,000 blocked Brute Force Login attacks per month on our sites in the BPS Pro Security Log (not to be confused with the Login Security Dynamic DB Table).
BPS Login Security only logs and locks out valid login accounts. Logging and locking invalid attempts within Login Security is pointless and foolish and will create a DoS/DDoS vulnerability for your website. We have tested this with other Login Security plugins that are logging and blocking invalid user account. It is very simple and easy to overload the Server and website and crash the website by sending a high volume of login requests using several different request methods. cURL is by far the easiest way to crash websites that are using a login security plugin the logs and blocks invalid user account login attempts.
On a testing site we sent automated repeated random invalid user account login attempts (Dos/DDoS login attacks) to the testing site and effectively crashed the site for a period of 24 hours straight using several WordPress Login security plugins (we will not post the names of the plugins for security reasons) that log and block invalid user account login attempts.
BPS and BPS Pro Login Security only logs and locks valid user account login attempts so that a DoS/DDoS vulnerability/exploit is not created on websites to crash them by doing this form of attack.
I do not understand this question – “Are there any direct login API calls or whatever that are not monitored by BPS Pro?”
Todd
ParticipantWe’ve used BPS Pro for a long time on our sites and we always recommend customers to purchase it as well. We have never needed another solution because it’s always done what we needed. Until now … In regards to the login security, it appears that it won’t work in our case. What we have done is we have created a custom login page and a form that submits the login information. We’ve used a function redirect to block all GET requests from wp-login.php in order to allow the form to be submitted but not browsed. We’ve then created custom redirects with url query strings in order to return failed logins and prevent exact messages and login “shakes” from being interpreted as valid users. It doesn’t appear that logins are being logged at all even though the plugin is enabled. Looking at the DB there’s zero rows in the login_security table. Is there something that can be done about this? In addition what we would ultimately like is the option to write to a file instead of the db. This would allow us to use fail2ban with a custom filter that can read the file. It would also allow us to use additional filters to perma-ban repeat offenders.
Thanks and keep up the great work.
AITpro Admin
KeymasterWhat this means below is that if 2 plugins are using the same WordPress hooks/functions at the same time then they will compete with each other and 1 plugin will override the other plugin since they are both using the same WordPress hooks/functions at the same time to do a very similar or the same thing.
Issue/Problem: Using 2 or more plugins that both do/have/use a Login Security feature and do something very similar.
Solution: You can only have 1 plugin feature handling login security otherwise there will be a conflict since both plugin features are doing something very similar. Choose one or the other Login Security feature in either plugin.
If you have a custom login page that is hooking into the normal WordPress login process. Example: The Form Action is pointing to action=wp-login.php, then no matter where the custom login page is it should still be processed successfully, but if you are doing additional things that do not allow normal/standard login form processing then these things would be what is preventing login form processing.
I would need to see your custom code/login form processing/etc in order to be able to tell you why it is not working.
Has fail2ban fixed/resolved the known issues with having a DoS/DDoS vulnerability?
http://en.wikipedia.org/wiki/Fail2banOne of the common mistakes that we found when looking at other WordPress login security plugins was that they have DoS/DDoS vulnerabilities by trying to handle invalid logins that should be ignored instead of trying to handle/process invalid logins. BPS Login Security only handles login attempts that are valid and uses the standard WordPress logic for not processing invalid logins since this is the most sound way to prevent creating DoS/DDoS vulnerabilities.
These additional Brute Force Login protection methods are a much better approach since they do not create DoS/DDoS vulnerabilities.
http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/Todd
ParticipantFirst of all thanks for the information. Second we aren’t WP security experts and we aren’t using a plugin to handle these login requests. We’ve only developed something based on basic knowledge and logic. We’ve been using this method for 2 years now and we have yet to have and brute force attack on the custom login page so I would think at the minimum it’s “semi-worked”.
There’s a great misconception that blocking denial of service attack via fail2ban will at least ease those attacks. While this may be true for script kiddies and crude attacks, this is simply not the case. Fail2Ban is not meant for DOS/DDOS protection as it doesn’t prevent flood attacks.
Brute force login attempts is what we are trying to thwart in these cases and in the most recent WP attacks. Fail2Ban handles these cases quite well and I would be willing to say even better so than anything else would be able to. The reason I say this is because the request never hits the server at all because the IP is blocked at the firewall level.
In regards to the code that we are using it’s simply a modified version of the bbpress login form, which I’m sure you’re familiar with since you’re using it.
In the funtions.php file we have this bit of code handling the request.
function redirect_login_page(){ $page_viewed = basename($_SERVER['REQUEST_URI']); $login_page = 'https://domain.tld/login/'; if( $page_viewed == "wp-login.php" && $_SERVER['REQUEST_METHOD'] == 'GET') { wp_redirect($login_page); exit(); } } add_action('login_redirect', 'redirect_login', 10, 3); function redirect_login($redirect_to, $url, $user) { $url = 'https://domain.tld/login/'; if($user->errors['empty_password']){ wp_redirect( $url . '?login=nopass'); } else if($user->errors['empty_username']){ wp_redirect( $url . '?login=nouser'); } else if($user->errors['incorrect_password']){ wp_redirect( $url . '?login=invalid'); } else if($user->errors['invalid_username']){ wp_redirect( $url . '?login=invalid'); } else if(!empty($user->data)){ wp_redirect( $url); } else{ wp_redirect($url . '?login="nothing'); } exit; }
AITpro Admin
KeymasterOk I was going by the information I found by googling fail2ban and found that Wiki page and also information in the fail2ban changelog that they were now addressing the known DoS/DDoS issues.
I assume the issue regarding your code and BPS Login Security not working as expected would have something to do with this action. The intended use for login_redirect is to redirect “AFTER” login form processing and not “BEFORE”. So logically normal login processing will not occur as expected and most likely BPS Login Security will not work as expected either. BPS Login Security is of course an optional security feature so if you have a Login Security method that you prefer or works better for your particular needs/uses then you can turn Off BPS Login Security if it is not being used.
add_action('login_redirect', 'redirect_login', 10, 3);
The “login_redirect” filter is used to change the location redirected to after logging in. This could be the location set by the “redirect_to” parameter sent to the login page.
http://codex.wordpress.org/Plugin_API/Filter_Reference/login_redirect
AITpro Admin
KeymasterThe wording of this is a little confusing and appears contradictory because it is not completely clear what is meant: “This could be the location set by the “redirect_to” parameter sent to the login page.” My interpretation of this is that this still means AFTER login form processing has occurred and not BEFORE. We use a login redirect function on the main AITpro.com website that redirects users to the Secure Download Area AFTER successful login.
http://forum.ait-pro.com/forums/topic/customize-your-wordpress-login-page-customize-wp-login-php/ -
AuthorPosts
- You must be logged in to reply to this topic.