latest stable versions: v150827 (changelog)
top⇑

Old Forums (READ-ONLY): The community now lives at WP Sharks™. If you have an s2Member® Pro question, please use our new Support System.

Home Forums Richard Ziegler

About: Richard Ziegler

Sorry, I've not written a description yet. I'll get to it soon!

Topics I'm Subscribed To

Viewing topic 1 (of 1 total)
Topic Count Last Reply
Brute Force Attempted This Morning

By:  Richard Ziegler in: Community Forum

voices: 2
replies: 8

3 years, 9 months ago  Bruce

Viewing topic 1 (of 1 total)

Topics I've Started

Viewing topic 1 (of 1 total)
Topic Count Last Reply
Brute Force Attempted This Morning

By:  Richard Ziegler in: Community Forum

voices: 2
replies: 8

3 years, 9 months ago  Bruce

Viewing topic 1 (of 1 total)

My Latest Replies (From Various Topics)

Viewing 4 replies - 1 through 4 (of 4 total)
Author Replies
Author Replies
Posted: Wednesday Apr 10th, 2013 at 3:13 am #47035
Richard Ziegler
Username: lawnmm

Actually, just one more thing to add…

As a possible suggestion for future releases of S2member, might there be a way to lock an IP address from even accessing the wp-login form during the lockout period? If you fail the login and reach the limit, have S2member block that IP from accessing the wp-login area of the site. That would prevent not only brute force attacks, but any resulting server resource consumption that would cause issues on the server end by attempting logins even when already locked out.
Posted: Wednesday Apr 10th, 2013 at 3:09 am #47034
Richard Ziegler
Username: lawnmm

Thanks, I will chat with them a bit and see what they have to say about it and maybe I can get more information about the type of attack and how to prevent it. I think you are correct, there is some terminology confusion going on here.

It may have started as brute force, but I think S2member locked it out, and the repeated attempts during the lockout bogged the server down and that’s when they took whatever action they did. I’m reading between the lines but I think they took my site offline during the attack, honestly I don’t have a huge problem with that. Best way to thwart an attack is to remove the target. It was only down for a few hours and they restored it immediately after talking with me.

I know they have since banned the IP the attack came from so hopefully the hacker will move on to a softer target. I appreciate the help and thanks for doing your best to answer my questions even if they did stray a bit from the S2member side of the equation. I do believe we have this resolved now and I’m glad I invested in S2member because it’s already protected my installation once! Hopefully it won’t be a regular occurrence. Thanks again.

Rich
Posted: Wednesday Apr 10th, 2013 at 2:23 am #47022
Richard Ziegler
Username: lawnmm

That may explain it then. Brute force was their term, not mine. So I assumed it was repeated login attempts and perhaps an issue with my settings. Having tested it myself though, the lockout seems to be functioning. That seems to make the DOS component likely and also explains the server maxing its memory/cpu resources.

I’m not super savvy on what protections they have in place. I may not be explaining this the best. When I say they took my account offline, I believe it was my hosting company that did it, because the site was being attacked. I do not believe the hacker took the whole server down in the DOS attack, they saw it happening and either the server deactivated the account or they did it manually to prevent continued attempts at gaining access.

When I spoke to the tech they said it seems to be a trending thing lately on wordpress installations. They were recommending another login limiting plugin. That’s where my confusion started, having had S2member already set up to block brute force attacks. I almost wonder if because S2member doesn’t deny access to the wp-login as part of the lockout that the hackers brute force attack may have turned into a DOS as a side effect. He started his brute force script, and was locked out immediately, but since the form is still available for user/pw combos and the script was still running, it became a DOS by default. Then my hosting company took the site offline as some sort of safeguard.

I’ve added a captcha math question to the login form which should prevent both from occurring in the future, but I may call support up again tomorrow to get more details. What questions do you recommend I ask? Should I be asking about the safeguards they have in place for brute force as well as denial of service?

Thanks for the help, by the way,

Rich
Posted: Wednesday Apr 10th, 2013 at 1:58 am #47016
Richard Ziegler
Username: lawnmm

It is currently set to punish after 3 login attempts, it was set to defaults prior to the attack, punishing for 30 minutes after 5 failed login attempts. I verified this while on the phone with tech support right after they restored the account to active service.

I tested this myself this afternoon with a mobile hotspot. I deliberately gave the wrong password 3 times and it locked me out, I verified I was locked out by ensuring I used the correct password and username and I still couldn’t gain access to the admin area due to the 30 minute punishment window.

So new question, is it possible that S2member was working perfectly, and locked the hacker out, but his continued attempts to submit password and username combos was putting stress on the server? The login form is still available, you can still submit a user/pw combo even when locked out, might that have been what was bogging down the server?

They took my whole site offline when their server CPU usage spiked from the brute force attack. The tech on the phone verified that the hacker was trying multiple combos per second. That stressed the server, and it either took my account offline automatically or one of the techs was alerted to the attack and did it manually. Either way, the server was apparently still taking a pretty heavy resources hit.

Is that normal even if they are locked out? Or should the strain on the server have been averted when the hacker was locked out after hitting the limit for failed login attempts?
Viewing 4 replies - 1 through 4 (of 4 total)

Old Forums (READ-ONLY): The community now lives at WP Sharks™. If you have an s2Member® Pro question, please use our new Support System.

Contacting s2Member: Please use our Support Center for bug reports, pre-sale questions & technical assistance.