Strange IP notifications

Hi @scldad, glad you reached out!

Can you please check the raw details of the “Invalid Login” and “Authorized Host Triggered Host Lockout” to see how are the lockouts being triggered? If possible, please also send the raw details here so I can check.

If the lockouts seem to tally with your genuine logins, can you make sure that you’re not failing the login process by using invalid credentials or failing the captcha?

Looking forward to hearing from you.

Here are some examples:

Brute Force?Notice?Invalid Login?2024-04-09 14:29:41 – 29 seconds ago?203.2.199.101View Details

URL https://holdfastmac.asn.au/wp-login.php?itsec-hb-token=weblogin

id => 44056 module => brute_force type => notice code => invalid-login::user-12 timestamp => 2024-04-09 04:59:41 init_timestamp => 2024-04-09 04:59:41 remote_ip => 203.2.199.101 user_id =>[empty string] url => https://holdfastmac.asn.au/wp-login.php?itsec-hb-token=weblogin memory_current => 89531272 memory_peak => 89585480 data =>Array details =>Array source => wp-login.php authentication_types =>Array 0 => username_and_password user =>null username => xxxxx user_id =>[integer] 12 SERVER =>Array HTTP_ACCEPT => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 HTTP_ACCEPT_ENCODING => gzip, deflate, br HTTP_ACCEPT_LANGUAGE => en-US,en;q=0.5 CONTENT_TYPE => application/x-www-form-urlencoded CONTENT_LENGTH => 116 HTTP_HOST => holdfastmac.asn.au HTTP_REFERER => https://holdfastmac.asn.au/wp-login.php?itsec-hb-token=weblogin HTTP_USER_AGENT => Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 HTTP_ORIGIN => https://holdfastmac.asn.au HTTP_UPGRADE_INSECURE_REQUESTS => 1 HTTP_SEC_FETCH_DEST => document HTTP_SEC_FETCH_MODE => navigate HTTP_SEC_FETCH_SITE => same-origin HTTP_SEC_FETCH_USER => ?1 HTTP_TE => trailers HTTP_X_HTTPS => 1 HTTP_AUTHORIZATION =>[empty string] HTTPS => on REQUEST_SCHEME => https SCRIPT_FILENAME => /home4/holdfast/public_html/wp-login.php SERVER_PROTOCOL => HTTP/2.0 REQUEST_METHOD => POST REQUEST_TIME_FLOAT =>[double] 1712638781.0637 REQUEST_TIME =>[integer] 1712638781

Lockout?Notice?Authorized IP Triggered IP Lockout?2024-04-07 10:09:07 – 2 days ago?203.2.199.101

URL https://holdfastmac.asn.au/wp-login.php?itsec-hb-token=weblogin&loggedout=true&wp_lang=en_US

id => 44024 module => lockout type => notice code => whitelisted-host-triggered-host-lockout timestamp => 2024-04-07 00:39:07 init_timestamp => 2024-04-07 00:39:06 remote_ip => 203.2.199.101 user_id =>[empty string] url => https://holdfastmac.asn.au/wp-login.php?itsec-hb-token=weblogin&loggedout=true&wp_lang=en_US memory_current => 89637576 memory_peak => 89759936 data =>Array module => brute_force host => 203.2.199.101 user_id =>[boolean] false username =>[boolean] false module_details =>Array type => brute_force reason => Too many bad login attempts label => Brute Force host =>[integer] 5 user =>[integer] 10 period =>[integer] 5 whitelisted =>[boolean] true blacklisted =>[boolean] false lockout_type => brute_force lockout_start => 2024-04-07 10:09:06 lockout_start_gmt => 2024-04-07 00:39:06 lockout_context => O:40:”iThemesSecurity\Lib\Lockout\Host_Context”:5:{s:46:”iThemesSecurity\Lib\Lockout\Host_Contexthost”;s:13:”203.2.199.101″;s:55:”iThemesSecurity\Lib\Lockout\Host_Contextlogin_user_id”;N;s:56:”iThemesSecurity\Lib\Lockout\Host_Contextlogin_username”;N;s:62:”iThemesSecurity\Lib\Lockout\Host_Contextuser_limit_triggered”;b:0;s:51:”iThemesSecurity\Lib\Lockout\Contextlockout_module”;s:11:”brute_force”;} lockout_expire => 1970-01-01 00:00:01 lockout_expire_gmt => 1970-01-01 00:00:01 lockout_host => 203.2.199.101

I notice references to iThemesSecurity but we are using Solid Security.

When I or my colleague login, we see no login errors.

Hi @scldad, thanks for getting these details across!

The lockouts seem to be due to invalid login attempts: reason?=>?Too many bad login attempts

Can you double-check if that IP belongs to you or one of your admin users? If it does, can you check if that admin has made the incorrect login attempts?

I tried triggering a lockout on your site. Can you check if the IP listed is correct (158.x.x.x)? 

If in case the attempts are brute force attacks, can you try changing the HBE login link and enabling 2FA and then observe if the invalid login attempts will lessen?

I notice references to iThemesSecurity but we are using Solid Security. – That’s okay. iThemes Security is the old plugin name of Solid Security before the rebrand.

• This reply was modified 7 months, 2 weeks ago by chandelierrr.

The IP address 203.2.199.101 belongs to my HP laptop and the notices definitely refer to my logins.

I have not made any incorrect login attempts.

I see that 158.62.77.117 was locked out due to excessive invalid login attempts.

On review, I see that every time I or my colleague login there are at least two notifications.

The first has empty username and password and the second has the correct username with a blank password.

Sometimes there are additional copies of both.

Is it possible that these are caused by the fact that I have my username and password saved in my browser (Firefox for me, Safari for my colleague) and that selecting the bookmark triggers an invalid conversation?

I find this unlikely as the notices seem to have only started relatively recently but before we updated from iThemes to SS.

How long are log entries kept?

Cheers,

Stephen

Hi Stephen, thanks for confirming that my attempt was logged as a lockout.

The no. of days the logs are kept will depend on the value set in Security > Settings > Global Settings > Logging. Default values are 60 days for DB logging and 180 days for File logging. Note that the log data will be reset during a re-install.

It’s unlikely that saving the credentials on your browser and logging in through the bookmarked custom URL link will trigger an invalid login attempt.?

I tried replicating this on my end, so I saved my login credentials with Safari and bookmarked these links: https://example.com/wp-login.php?itsec-hb-token=HBE and https://example.com/wp-login.php?itsec-hb-token=HBE&loggedout=true&wp_lang=en_US, however, I’m not getting the same invalid login/brute force attempts (see?here).

I’m leaning toward your usernames being used in a brute-force attack. Can you try creating a new admin user, transferring all content to it, deleting one of the old admin users, and then observing if the new login action for the new admin will still encounter this issue? 

Please give this a shot and let me know if it helps.

Can’t do that just now but I can confirm that we are NOT seeing an external attack.

I login without error and immediately the invalid login alerts appear in the log.

There are no similar alerts at any other time so it is definitely me.

Cheers,

Stephen

Hi Stephen,

I see. Is it specific to the two admin users, or does it happen to all your registered users?

Does this behavior also happen when you log into the site using another device? If so, can you review the server logs for any errors/warnings that get logged right when you log in and receive the invalid login alerts?

If possible, please also check if this issue happens when only Solid Security is activated on your site.

No other users have logged in for months if not years.

My fellow admin uses an Apple device and I have tried an HP laptop, a Samsung tablet and a Samsung phone with the same effects.

For reasons lost in history, this site also uses WP Cerber. The Cerber logs are empty.

I do not have access to server logs.

Hi @scldad,

I’d like to inform you that we’re tracking this matter internally. I’m still waiting for feedback from our team, and I’ll get back to you as soon as I have an update.