[Plugin: Login Security Solution] Locked out if Attacked

Hi Beholder:

The plugin does not change passwords just because an attack is taking place. It only changes a user’s password if, upon the specific user logging in, the user name, passsword and/or network component of the IP address match those used by the attacker during the past “Match Time” minutes. The attacker was probably coming in with your user name. What’s your user name?

You mentioned having to change your password twice. Were both times right after logging in? That would mean the attack is ongoing.

IP addresses can’t be relied on for much. Attackers can forge or change IPs. Users come in from different places. I’ll think about remembering existing user’s IP’s.

Thanks,

–Dan

Yes, that was my point. If the attacker is hitting any account, it makes it impossible to login, even if you request a password change.

In my case I had 559 attempts in 120 minutes. When I realized it was happening, I tried to login after a password change but, because there were 500+ attempts in the cue, I was still locked out.

The way LLS works, I’d have to wait 120 minutes after the attack finished before I could login because the cue would say an attack was going on.

As things stand, the only ways around this is to have a “secret” admin account backdoor (not the best solution as two access points are worse than one), disabling the plugin to login, or waiting for the attack to finish and the cue to expire (which seems silly for an auto attack which may never need to finish).

BTW, the attacking IP address was faked, but it didn’t change throughout the attack.

Login lockdown should eliminate this particular attack as it will temporarily shutdown the IP address, but it won’t do anything if they randomize the incoming IP address.

I see there are a couple Catch 22’s in the code. I’ll work on them.

Yes, I just had this exact same situation. Also, I just updated to v0.17.0

However I found the attack against my admin account had ended, so I tried to login again. It required password change. Done. Tried to login again and it sees that login as an intrustion and logs me back out. Then I try to login and it requires a password change. Thus begins the infinite loop.

The primary problem here is that when the password is changed, it needs to (but fails to) reset whatever database field is set to tell the system my account is being attacked.

Does that make sense?

This problem has been addressed in release 0.18.0. Thanks for the report. Please let me know how it goes.

Hi Folks:

Sorry to be so crass, but could y’all please be so kind as to rate this plugin, give it a “works” vote, and make a donation? It’d be a big help.

Thanks,

–Dan

I’m having a similar problem.

I just installed the plugin today. (I have a multisite installation. My username is not “admin”.)

After I change my password the plugin starts to get suspicious. I’m using a static IP address and I did a little testing earlier in the day. The plugin thinks that someone with my ID and IP address has failed to authenticate 11 or 12 times in the last couple hours, so it bugs out.

That’s completely understandable.

I reset my password using the email link that the plugin sends me. However, when I try to log in with the new password, it just tells me the same thing as before and tries to make me change my password again.

Need some advice here. ??

Billy:

Since you did the testing from the same IP address you’re trying to log in from, the LSS thinks you’re an attacker. And rightfully so. That means the password reset process isn’t going to help you.

If you have the ability to run queries directly against the database, you can drop the records in the login solution fail table.

–Dan

Thanks Dan.

I waited and was able to update my password and log in after the test entries were outside the default 120 minute window.

To help avoid lockouts at work, I’ve upped the threshold for locking out an account to 50 (instead of 6). I figure I can probably reduce it again later, after we get everything running smoothly.

Thanks for getting back to me. I appreciate it.

Billy: Glad it’s sorted out. When you get a chance, ratings, “works” votes and financial contributions are always appreciated, please. –Dan

Hey Dan,

You mentioned IP forgery is a real threat. So what happens if an attacker forges a wide set of legitimate IPs? Real users from the legitimate IPs end up getting blocked?

Exactly how does this IP forgery work anyway? Because if the IP is forged, how could the server even be able to communicate back to the source of forgery? The guy at the other end wouldn’t be able to get a response.

Pha3z: You’re correct. And yes, a forgery won’t get a reply, but one doesn’t need a reply to wage a DDOS or login attack. –Dan