Home › Forums › BulletProof Security Pro › Protect Login Page from Brute Force Login Attacks
Tagged: Bonus Custom Code, Brute Force Login Attacks, Protect Login page, WordPress Brute Force Attacks
- This topic has 163 replies, 30 voices, and was last updated 4 years, 11 months ago by eveli.
-
AuthorPosts
-
D JosephParticipant
Question: I want to implement one of these methods but not sure which I should use. I have a subscription to the VPN service Hidemyass. When I connect online, my IP changes frequently.
I have a VPS with my own IP though.
I also have Norton Password Manager that fills out my WP login. Whenever I change things on Norton, Norton messes up. Therefore, I’d choose the functions.php method only if I have to.
Which method do you recommend?
Thanks!
AITpro AdminKeymasterFirst off I want to mention something about logging into your site when you are connected to a VPN. Your login information may be logged/stored if you login to your site when connected to a VPN. Personally I do not log into my sites when I am connected to the VPN that we use. You can probably completely trust your VPN, but you should be aware that your login information may be logged/stored.
Regarding the BPS Pro Plugin Firewall and IP addresses: the BPS Pro Plugin Firewall automatically updates itself with your IP address when you log into your website so that your current IP address is always current in the Plugin Firewall.
Regarding the additional Brute Force Login protection code you would not want to use the IP based .htaccess code and instead use the Server Protocol based .htaccess code, otherwise you will end up doing a lot of manual FTP changes in order to be able to log into your website. Personally I think just using this .htaccess code is fine/enough and the additional login page protection is probably not necessary. We are only using the Server Protocol based .htaccess code on this site and all other Production sites.
D JosephParticipantThanks for the VPN info. Hmm… now I wonder if I’ll use it as much as I thought. I’m almost at my 30 day return policy but I guess I’ll keep it for the year anyhow, as it can come in handy when I need it otherwise.
I thought it would be the Server Protocol .htaccess, but I’m scratching my head about how that works. How does it know not to block me, if I come from any IP address just like an intruder? How am I identified as the owner in the Server method? I have IPs for my VPS but they aren’t the same as my location.
Or, do you mean that if I give it the right user name and password, then it records my IP and lets me in? But that would be for anyone else too, if they had my username and password. I guess I don’t understand how that works.
AITpro AdminKeymasterSince the primary intended use/purpose for VPN’s is “stealth” browsing then doing things like logging into online accounts is probably not such a good thing to do for a few other reasons besides a possible account credential security risk. Example: If you log into a PayPal account with a VPN and PayPal thinks you are trying to do something shady or violating their policies then they will restrict or limit your PayPal account.
I think VPN’s are excellent protection when used as they are designed to be used.
You would want to use this code below, which ONLY checks the Server Protocol and not an IP address. If a bot or human is using Server Protocol HTTP/1.0 there is a 99.99% chance that this is a hacker, spammer, scraper, etc. All legitimate bots and humans are using Server Protocol HTTP/1.1 as of 1997-1999. Hackers, spammers, etc. use HTTP/1.0 because of the hacker or spammer tools they are using and this masks them in a way that HTTP/1.1 would expose them – leave a trail to follow/track them. The pitfall for them is that HTTP/1.0 allows them to do certain things that HTTP/1.1 does not allow, but if you are checking and blocking Server Protocol HTTP/1.0 then you can block them by that.
# Protect wp-login.php from Brute Force Login Attacks based on Server Protocol # All legitimate humans and bots should be using Server Protocol HTTP/1.1 RewriteCond %{REQUEST_URI} ^/wp-login\.php$ RewriteCond %{THE_REQUEST} HTTP/1\.0 RewriteRule ^(.*)$ - [F,L]
D JosephParticipantYea I guess with stealth browsing I want to combine it with doing too many other things and that’s not possible, or wise. I think specifically I will use it to log into forums because I’ve had weird things happen after some forum visits. (Not here of course – the bad people won’t get past the moat you put around this place, I’m sure.)
I’m going to set up my site with the Server Protocol tonight. I never knew the difference in the 1.0 and 1.1 Server Protocols – thought it was just a version difference. Well, I guess it is, and one probable reason for it was the better security. Now I can make better sense out of my logs in cPanel.
Thanks!
AITpro AdminKeymasterYep, the Forum machine gun turrets are on alert 24/7. LOL
In the past, before we added the Server Protocol logged field in log entries there were some log entries that looked like something legitimate was being blocked. If you see Server Protocol HTTP/1.0 in the log entry this is shady activity no matter what the rest of the log entry looks like. This is a shady request by a shady bot or human – PERIOD.
MarkParticipantOn July 5, 2013 at 10:13 am Bill wrote “You’re absolutely right… It’s clearly working. Somehow my phone and computer are “one” in a sense. I’ll go to a nearby Kinko’s to check on my side. Thank you so very much for your time. I sincerely appreciate it.”
Just a guess, but if I’m right it will save someone a trip to Kinko’s! Check to see if your phone is using your home wifi. If it is, turn wifi off and then try to access your login page using the phone’s data network. That will not be the same IP as your wifi. When you’re satisfied things are working as they should then you can turn the phone’s wifi back on.
MarkParticipant# Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50.
Is it possible to allow from more than one IP Address? This would allow me to use my laptop to access my site from more than one location… home and office for example.
AITpro AdminKeymasterYep, you can add as many IP addresses as you want to allow. And another way to check your site is with an online Web Proxy like hidemyass.com.
Allow from xxx.xxx.xxx. Allow from yyy.yyy.yyy. Allow from zzz.zzz.zzz.
MarkParticipantIf we’re blocking by IP address is it necessary and/or recommended to continue logging 403 errors for /wp-login.php?
AITpro AdminKeymasterI think I understand the question. We use the Log All Account Logins setting on some of our sites where we want to track/log every single login. On our other sites we use the Log Only Account Lockouts setting to log only locked user accounts. The choice is entirely up to you and you would choose the Login Security & Monitoring options/settings that work best for your particular site.
MarkParticipantI was referring to this type of entry which I get several times an hour:
BPS PRO SECURITY / HTTP ERROR LOG ================================= ================================= >>>>>>>>>>> 403 GET or Other Request Error Logged - August 3, 2013 - 11:34 am <<<<<<<<<<< REMOTE_ADDR: 46.98.54.19 Host Name: 19.54.PPPoE.fregat.ua SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Parsley NT 1.0; rv:1.0) Parsley/1.0.0.0
AITpro AdminKeymasterGeneral Info:
There were over 90,000 IP addresses in the original Brute Force Login attacks that started months ago. That number has significantly increased from 90,000 IP addresses since now there are lots of victim sites that have been hacked and are now attacking other potential victim sites. This type of attack is completely automated and resembles/is similar too computer viruses such as “worms” or “rabbits” that replicate automatically.
Yep, you can turn off Security/HTTP error Logging and turn it on if you need to troubleshoot something at a later time. The Security Log logs hacking attempts and is also an HTTP Error log to troubleshoot possible plugin conflicts/errors/problems. BPS Pro Security Logging is also completely automated as far as handling the log files go. Security Log files are automatically zipped, emailed to you and then deleted by BPS Pro. You can turn off Security Log alerts in S-Monitor if you no longer want to be notified about Security Log entries. So the choice is entirely up to you on what you want to do. BPS Pro gives a wide range of options/choices of how you do or do not want to be notified or turning things on or off or just letting BPS Pro handle everything and go about your business.
billParticipantHi, AITpro.
A client just informed me that she was unable to view a password protected page on one of my sites. Well, they were actually able to view the “login page” but when she enters the code, it gives her the 403 forbidden page. I thought it was strange because it worked fine on my end, so I asked her to send me a screenshot…. and in the top right corner, the error message had the /wp-login.php information. In essence, it was giving her the brute force login protection error. Any thoughts as to why this is happening?
Thanks,
-BillAITpro AdminKeymasterWhich Brute Force Login protection code are you using?
-
AuthorPosts
- You must be logged in to reply to this topic.