Live Traffic yellow warnings on failed logins

  • Resolved wpalan

    (@wpalan)


    4 years, 5 months ago

    Hi, I am satisfied that I have my Wordfence (free version) settings set appropriately and I have strict Brute Force Protection rules set. I am immediately locking out invalid usernames for 2 months and I am using Wordfence 2FA. When I view the Live Traffic activity detail, having had a flood of attempted logins over the last 24-hours from all over the world, (including Vietnam, Czechia, France, Germany, US, India, Singapore and Indonesia) I notice that although many entries are in red, having been blocked for using an invalid username, there are plenty of other entries which are in yellow, (Warning) whereby I would need to block the relative IP address manually. These yellow entries are still reporting “failed login using an invalid username” but they appear to state: “Human” rather than “Bot”.
    Why are these failed logins not blocked along with the red ones as they all look suspicious to me and are attempting to log in using invalid usernames?
    Also, on looking at my emailed Wordfence Alerts, I appear to have several examples whereby one IP address is logged with the same time-stamp having attempted to login using two different invalid usernames. How is this possible when I have set “Immediately log out invalid usernames”, so how did they seemingly have two attempts before being blocked?
    I need to understand the above to have complete faith in Wordfence as a reliable security tool. Many thanks in advance for your help.

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)

  • Hey @wpalan,

    Can you please share screenshots of the attempts in question with the Details expanded in Wordfence > Live Traffic? This may give us a better idea of what’s happening, and we can also research the IPs.

    Also, can you test logging in with an invalid username to see if it locks you out? If you have your IP whitelisted you may need to use a VPN to mask your IP.

    Please let me know.

    Thanks,

    Gerroald

    Thread Starter wpalan

    (@wpalan)

    Hi Gerroald
    Thank you for coming back to me. Since my last post, I went into my Wordfence Brute Force settings and added all the invalid usernames that had been used in the blocked login attempts to-date.
    Previously, I had checked the ‘Immediately lock out invalid usernames’ box but I had not entered any of those invalid usernames as I thought that Wordfence would block all username attempts other than my genuine username. Since I added those invalid usernames, I have only been notified of a couple of blocked login attempts so that is positive, although there have clearly been more than that in reality when viewing the Live Traffic log.
    Here is an example of an IP address with three attempts using three different invalid usernames, just today as I post this.

    Type: Blocked
    France was locked out from logging in at https://xx
    25/06/2020 12:49:49 (1 hour 20 mins ago)
    IP: 79.137.39.102 Hostname: 102.ip-79-137-39.eu
    Human/Bot: Human
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

    Type: Blocked
    France was locked out from logging in at https://xx
    25/06/2020 12:49:48 (1 hour 20 mins ago)
    IP: 79.137.39.102 Hostname: 102.ip-79-137-39.eu
    Human/Bot: Human
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

    Type: Blocked
    France was locked out from logging in at https:/xx
    25/06/2020 12:49:48 (1 hour 20 mins ago)
    IP: 79.137.39.102 Hostname: 102.ip-79-137-39.eu
    Human/Bot: Human
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0

    It is those entries that show blocks of more than one attempt at the same time-stamp which I find concerning. Also, there are some entries which are marked in yellow as type ‘Warning’ which I would also like to understand as I believe they should all be blocked if attempting to use invalid usernames.
    Thanks, Alan

    Hey @wpalan,

    I’ve spoken with the Team about this. Can you please disable the features below and let me know if it helps? You can find these settings in Wordfence > Tools > Diagnostics > Debugging Options.

    Start all scans remotely
    Enable SSL Verification

    Please let me know how it goes.

    Thanks,

    Gerroald

    Thread Starter wpalan

    (@wpalan)

    Hi Gerroald

    I have disabled “Enable SSL Verification” as the other option was already disabled so I will monitor performance and let you know what happens. Many thanks, Alan

    Hey @wpalan,

    Thanks for the update, and please let me know how it goes.

    Thanks,

    Gerroald

    Thread Starter wpalan

    (@wpalan)

    Hi Gerroald
    Just reporting that as of 5th July, I still get a regular batch of blocked IP address email notifications, but it fluctuates and I only appear to be seeing single IP address attempts now. They are all blocked for 2 months and I can go in and further block them forever. I can go some days without seeing any so I guess I can live with that as Wordfence certainly appears to be keeping the site secure. I really do not know why these login attempts, presumably automated, are made as I have 2FA enabled anyway along with a very strong password but there you go!

    I am having the exact same problem. I have configured the free version of Wordfence to immediately block all login attempts to non-existant user names for two months. When I test this myself, it seems to work fine.

    However, today I looked at the Live Traffic log and see a LOT of failed login attempts to non-existant user names. Most of these entries have a yellow warning, not a red X. The IP addresses for the Live Traffic entries with the Yellow Warning icon are not blocked. The entries with the Red X icon are.

    What is the difference in the Live Traffic log between the Yellow Warning and Red X log entries? Why are the Yellow Warning failed logins not resulting in the IP addresses being blocked?

    I just tried another test. It appears that if I try to login using a non-existent username but a blank password, I get the Yellow Live Traffic Icon and my IP address is not blocked. If I do the same thing with a non-blank password, then the Live Traffic log shows a Red X and the IP address is blocked.

    Personally, I think that all login attempts to a non-existent username should be blocked, regardless of whether or not a password is present.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Live Traffic yellow warnings on failed logins’ is closed to new replies.