multiple failed login attempts

Hi, I am currently just using the free version of s2member and have Brute force restriction set to 3 attempts / 30 minutes.

So my question, to help me understand whats happening here, is why does my login log show multiple failed login attempts, from someone trying to hack my site, where no restriction has been applied.

You can see from the log extract below multiple attempts from the same ip address over six minutes.

788 2013-03-03 03:45:46 66.85.150.246
787 2013-03-03 03:45:30 66.85.150.246
786 2013-03-03 03:45:13 66.85.150.246
785 2013-03-03 03:44:55 66.85.150.246
784 2013-03-03 03:44:39 66.85.150.246
783 2013-03-03 03:44:18 66.85.150.246
782 2013-03-03 03:43:58 66.85.150.246
781 2013-03-03 03:43:39 66.85.150.246
780 2013-03-03 03:43:19 66.85.150.246
779 2013-03-03 03:43:00 66.85.150.246
778 2013-03-03 03:42:42 66.85.150.246
777 2013-03-03 03:42:29 66.85.150.246
776 2013-03-03 03:42:15 66.85.150.246
775 2013-03-03 03:42:01 66.85.150.246
774 2013-03-03 03:41:47 66.85.150.246
773 2013-03-03 03:41:34 66.85.150.246
772 2013-03-03 03:41:19 66.85.150.246
771 2013-03-03 03:41:05 66.85.150.246
770 2013-03-03 03:40:51 66.85.150.246
769 2013-03-03 03:40:40 66.85.150.246
768 2013-03-03 03:40:33 66.85.150.246
767 2013-03-03 03:40:21 66.85.150.246
766 2013-03-03 03:40:10 66.85.150.246
765 2013-03-03 03:40:00 66.85.150.246
764 2013-03-03 03:39:49 66.85.150.246
763 2013-03-03 03:39:41 66.85.150.246
762 2013-03-03 03:39:29 66.85.150.246
761 2013-03-03 03:39:20 66.85.150.246

Hi Warwick.

I know that s2Member restrictions don’t become active if the Membership Options Page has not been set. I’m not sure if it applies to the Brute Force restriction too, but it’s possible. Have you set that page? [hilite path]Dashboard -› s2Member® -› General Options -› Membership Options Page[/hilite]

I’ll ask Jason about this.

Hello Cristian,

Thank you for your reply. Yes, the membership options page is set. And I know it is working because every now and again a member contacts me about being shut out for half an hour – so that part works.

So I guess the question should be, how are these hackers getting around it. I have no idea why they would be interested in my site, but now getting attempts from China, UK and Romania – or at least this is the reported IP address locations the hackers are using.

Any ideas on this would be great. I can’t keep blocking IPs by country, for obvious reasons.

Warwick

Thanks for the info. I don’t know why you have all those login attempts when the restriction works for some customers.

Could you please submit your site’s info? Please let me know here when you send it. s2Member® » Private Contact Form

Thanks!

Details received. Thank you!

I just took a look at your installation, but I was unable to reproduce this problem.
Please let us know what we’re missing. Thanks!

Are you kidding me!

Its taken you nearly a week to reply and clearly did not read / understand the issue.

PLEASE take a look at the login logs and you will see multiple logins in the tens. I have partially solved the issue by blocking Countries like Turkey – where the IP addresses originated from. But I can’t keep blocking countries to solve the issue.

Please look at the the login log under users and scroll back a little way and you will see many examples. Although this should also be very clear in the screen shot above.

Thank you and reagrds,

Warwick Jones

Any attempt that would trigger the WP action hook [hilite mono]wp_login_failed[/hilite] will count against the user. If you have a plugin which somehow dodges that hook, it could cause a problem. On this installation, though, it seems to be fine, as shown in Jason’s screenshot.

Or maybe your installation has something else allowing logins to the site, which bypasses the normal procedure, which is what s2Member monitors.

I tried logging into your admin area a moment ago but the login info is not valid anymore. What does the login log actually log, though? successful logins or every attempt? They seem to be attempts, otherwise why would someone login so many times in such a short time if they were successful?

I deleted that user that was created for you to log in and take a look my WP set up.

Given the multiple login attempts originate in Turkey, Romania, Iran, China I think it is fairly safe to assume the reason for multiple login attempts is to HACK the site.

Somehow members who forget passwords / have trouble logging in get blocked out after 3 tries, so what are the hackers doing to get around this.

As you have so far been unable to grasp the situation, and the time it takes for a reply, and because previous issues remain unresolved I think It best I start looking at an alternative member management plugin.

Somehow members who forget passwords / have trouble logging in get blocked out after 3 tries, so what are the hackers doing to get around this.

They’re most likely using a script that submits login info directly, not loading the login form first.