Feature Request: Block distributed attacks (Ignore IP)

Resolved skoskie
(@skoskie)

13 years ago

First, thanks for the plugin. It works really well and has been a real eye-opener on the number of attacks we get.

Yesterday, we got around a thousand hits each on the same, non-existant usernames, but they all came from different IP addresses. Needless to say, my inbox got very full very fast.

Unfortunately, this had a DDOS-type effect in that it stressed our cheap shared-hosting setup, slowing our site to a crawl. To quickly mitigate this, I modified the plugin with an array of blocked users and modified the is_login_fail_exact_match() to check against it and always return TRUE on match.

This wasn’t enough to ease the server load, so I moved the check into the authenticate() function and simply died if there was a match. That worked.

I realize this is hardly ideal. I know we don’t want to let them know we are reacting to the attack, and I would much rather have a record of the attack. But this worked in a pinch.

My request is for an option to ignore IP address for a list of usernames, or always for non-existant users, and to somehow get them back to the login screen with as few resources as possible.

Thanks again for the plugin.

http://ww.wp.xz.cn/extend/plugins/login-security-solution/

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author Daniel Convissor
(@convissor)

12 years, 11 months ago

A simple way to keep sites from getting totally bogged down is to adjust the LSS’ “Delay Tier 2” and “Delay Tier 3” settings to large numbers.

veppa
(@veppa)

12 years, 10 months ago

I really like your plugin, but sleeping for 60 seconds dont solve brute force attacks.

I got 2500 failed login attempts in couple hours (dramaticly slowed my server regular pw page loads took 30-50 seconds to generate on dedicated server) which could be prevented if you add feature to block by ip for couple hours instead of sleep(10-60) seconds.

Something like in “Limit Login Attempts” plugin which blocks access for 20 min. on 4 failed logins, blocks 24 hours on 12 failed logins.

in which you get max 12 failed login in 24 hours instead of 2500 failed login attempts in couple hours.

veppa
(@veppa)

12 years, 10 months ago

“Limit Login Attempts” is not solving server load problem as well. it just denies login request for certain amount of time.

Problem is loading wp-login.php and all wordpress files 30-50 MB to the memory and them blocking user with sleep or error message. This is not solving problem of server overload and crashes.

Only possible solution that worked for me is use fail2ban as described here :
http://codepoets.co.uk/2013/fail2ban-filter-for-wordpress/

before using fail2ban: load avarage was getting to 100 several times a day leading to server crashes.
after using fail2ban: load avarage stayed below 1 most of the time.

I don’t know how it can be added to your plugin, just wanted to help if others have similar problems.

regards.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Feature Request: Block distributed attacks (Ignore IP)’ is closed to new replies.

Tags