Max Retries and Lockouts and Times not working as expected

  • Resolved roypaulsinn

    (@roypaulsinn)


    1 year, 6 months ago

    I’m using Loginizer 1.7.9 with the following Brute Force settings:
    Max Retries 3, Lockout Time 15 minutes, Max Lockouts 2, Extend Lockout 24 hours, Reset Retries 24 hours. Email Notification after 2 lockouts.

    I received 3 emails (with corresponding log entries for the same IP address within 4 hours. Showing:

    9 failed login attempts and 3 lockout(s) from IP 5.188.62.21 on your site :
    https://xxxxx.xxx
    Last Login Attempt : 19/May/2023 16:56:44 +00:00
    Last User Attempt : admin
    IP has been blocked until : 20/May/2023 16:56:44 +00:00

    8 failed login attempts and 2 lockout(s) from IP 5.188.62.21 on your site :
    https://xxxxx.xxx
    Last Login Attempt : 19/May/2023 15:13:50 +00:00
    Last User Attempt : admin
    IP has been blocked until : 20/May/2023 15:13:50 +00:00

    7 failed login attempts and 2 lockout(s) from IP 5.188.62.21 on your site :
    https://xxxxx.xxx
    Last Login Attempt : 19/May/2023 13:31:49 +00:00
    Last User Attempt : admin
    IP has been blocked until : 20/May/2023 13:31:49 +00:00

    Questions:
    1. If the Max Retries is 3 and Max Lockouts is 2, why is there 9 failed login attempts and 3 lockouts within the same period?
    2. If the Extend(ed) lockout time is 24 hours, how is it that this IP could attempt another 2 logins within a 4 hour period all during the extended lockout period?

    Am I misunderstanding how Loginizer works or is something amiss?

    Thanks.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor loginizer

    (@loginizer)

    Hello @roypaulsinn ,

    Sorry for the delay in response.
    So the reason that you are seeing this kind of behaviour is because of the reset retries time.

    First I will address why you are seeing 9 lockouts. So the reason is the IP is blocked for 24 hours but it is not blacklisted. So if the attacker keeps attempting after they have been blocked for 24 hours Loginizer will always show them the error of the Lockout but will record the attempt. That’s why after it reached 7 it shows a single increase in the number but the lockout number stays at 2 which you have set.

    But you see Lockout jumps to 3. The reason for that is the reset reties time. It’s an absolute time which resets every 24 hours. The time is set when you either activate Loginizer as when you activate Loginizer it starts protecting your website or when you update the Brute-force settings. So when the reset happens it resets the number of retries. So when the attacker tries again they get the same error of Lockout but as the reset happened the data gets updated. That’s the reason why it reached a 3rd Lockout.

    I hope I was able to explain the reason of the behaviour you are seeing. Your website is safe, after 2 lockouts the attacker will see the 24 hour error for the next relative 24 hours, but if retries reset happens just the data gets updated the attacker will still face the same error of 24-hour lockout when the data gets updated.

    Regards,
    Loginizer Team

    Thread Starter roypaulsinn

    (@roypaulsinn)

    Thanks for a very comprehensive answer and for alleviating my concerns. I really should have mentioned that I’m using your free version and thank you for providing that.

    Plugin Contributor loginizer

    (@loginizer)

    Hello @roypaulsinn ,

    Glad to know that, do you have other query or any issue regarding Loginizer?

    Regards,
    Loginizer Team

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Max Retries and Lockouts and Times not working as expected’ is closed to new replies.