Two-Factor Authentication = access by ip

Hi maks131313,

This is probably not a good idea since the IP address can easily be spoofed.

+++++ To prevent any confusion, I’m not iThemes +++++

ip адрес находтся в моем владении. Как его можно подделать ? ))) это невозможно. как можно подделать вделенный ip адрес

————

ip address is in my possession. How can it be faked? ))) it’s impossible. how to fake ip address

у всех панелей впс есть эта функция и они не считают что это плохая идея. ispmgr , cPanel… и другие гиганты предоставляют защиту по ip
——

all vps panels have this feature and don’t think it’s a bad idea. ispmgr , cPanel …. and other giants provide ip protection

ip address is in my possession. How can it be faked? ))) it’s impossible. how to fake ip address

Passwords are also supposed to be in your possession only. However everybody knows only using passwords for authentication is not safe.
(That’s why 2FA was invented).

Be aware that as soon as you log into the WordPress Dashboard as an administrator the iTSec plugin will automatically add your IP to a (temporary) whitelist (It’s saved unencrypted in the database for 24 hours in an option named itsec_temp_whitelist_ip).

The whitelist is not used for authentication but it is used for authorization. So it prevents you (administrator) from being accidentally locked out/banned.

While testing the iTSec plugin Brute Force feature I regularly spoof my IP address to circumvent this whitelist … (the feature can also be disabled in the plugin Global Settings).

• This reply was modified 2 years, 8 months ago by nlpro.

я задал этот вопрос технической поддержке ispmgr, так как у них есть вход в панель с разрешенных ip адресов и у них есть функция 2FA которые можно использовать совсестно. То есть у них есть две функции защиты

и вот их ответ:

1. ip адрес подделать нельзя, если вы являетесь его владельцем.
2. даже если предположить что ip адрес можно подделать (или вашего ip есть несколько хозяев), то злоумышленик-взломщик не будет зать каккой именно адрес нужно подделать

откуда взломщик будет знать какой именно адрес подделывать ?

—————-

I asked this question to ispmgr tech support as they have allowed ip logins and they have a 2FA feature that can be shared. That is, they have two protection functions

and here is their answer:

1. An ip address cannot be faked if you own it.
2. even if we assume that the ip address can be faked (or there are several owners of your ip), then the hacker will not know which address needs to be faked

how will the cracker know which address to forge?

For clarification, I’m talking about IP spoofing from the browser.

So as an example:

While using computer IP X (my correct IP address) I use spoofed IP Y for web requests from the browser.

how will the cracker know which address to forge?

Phishing to name one method …

фишинг исключен. для работы использую отдельный браузер который автоматически чистися, также на нем посещаю тольо свои сайты в которых уверен и много других мер защиты. в моем случае невозможно узнать какой ip адрес я установли для входа в ispmgr, что тех поддержка ispmgr и подтвердила.

также прошу обратить внимание что Two-Factor Authentication ненадежен в том случае если почту взломали или почтой пользуется много людей(корпаративные почтовые ящики)

поэтому лучше использовать два метода одновременно, но к большому сожалению у вас его нет даже в pro версии
———

phishing is excluded. for work I use a separate browser that is automatically cleaned, I also visit only my sites on it, which I am sure of and many other protection measures. in my case, it is impossible to know what ip address I set to enter ispmgr, which ispmgr support confirmed.

also please note that Two-Factor Authentication is unreliable if the mail is hacked or a lot of people use the mail (corporate mailboxes)

so it's better to use two methods at the same time, but unfortunately you don't have it even in the pro version

Like stated in my first post:

+++++ To prevent any confusion, I’m not iThemes +++++

I’m just providing community support which is fun and helps me learn stuff ??

So if I understand correctly you want 2FA with a new 2FA IP provider:

1. Username/password – user input
2. 2FA token or IP – user input (app, email, backup list), automatically verified (IP)

This way you can login with just the correct username/password while your web request IP is automatically verified. This would make 2FA faster. Right?

наверное вы не правильно поимаете. Нужно запретить все ip адреса для входа в админку, кроме одного-двух моих адресов которые я сам добавил в настройки плагина.

вот смотрите скриншот с ispmgr https://cloud.mail.ru/public/SPsp/zHfoc13TH

эта функция есть везде, только нет ее в вашем плагине
———

you probably don't get it right. It is necessary to prohibit all ip addresses to enter the admin panel, except for one or two of my addresses that I myself added to the plugin settings.

see the screenshot from ispmgr https://cloud.mail.ru/public/SPsp/zHfoc13TH

this function is everywhere, only it is not in your plugin

Oh well never mind. I did my best ??
If you don’t mind I’m not going to click on any provided Russian links.

Anyway a Google search on the internet returned results that seem to indicate that IP address is NOT a good 2FA token.

вы знаете что такое cpanel и ispmgr ? они считают что это хорошая функция а ваш плагин недоработка и не дает 100 % безопасности.

вот вам ссылка по которой вы не будете боятся переходить https://www.dropbox.com/s/6h3ks2q7k26efko/zHfoc13TH.png?dl=0

—————–

do you know what cpanel and ispmgr are? they think it’s a good feature and your plugin is flawed and not 100% secure.

here is a link for you that you will not be afraid to follow https://www.dropbox.com/s/6h3ks2q7k26efko/zHfoc13TH.png?dl=0

What is going on in here? @maks131313 Just use remember device and remember me options and so you can quickly login.

iThemes Security isn’t the end all be all for security – that’s pretty common knowledge for pretty much any one; as example, think of homeowners.

You need to keep in mind that the support you get here is from the WordPress community, we are doing our best to help out.

Hi @maks131313, I hope the information provided helped resolve the issue. Since we haven’t received a response, I’ll mark this post resolved. If you still need some assistance, feel free to open a new support topic, and we’d be happy to assist. Thank you!