Brute Force Password Attacks (Suggestion)

Discussion in 'Setting-up protection' started by karyng01, Aug 15, 2013.

  1. karyng01

    karyng01 aMember Pro Customer

    Joined:
    Jul 30, 2008
    Messages:
    71
    My suggestion for improvement is to log brute force password attacks (IP address & username attempted) on the aMember Admin login www.mysite.com/members/admin url. Have been dealing with some brute force attacks recently on my websites and it would be helpful to security to have a record of attempted logins & usernames.

    Knowing the username attempted tips me off on whether the actual admin username has been found out and so to change it if repeated multiple times from an unrecognized IP address.

    Even more helpful would be a feature where you can have aMember lockout an IP address (or range of addresses) automatically based on repeated attack behavior. I know currently if too many logins are attempted aMember increases the time before you can attempt a new login which is good but knowing (through a log file record) that attacks are happening is even more helpful. Then having an ability to permanently block an IP address (or range of addresses) a blacklist would be excellent.

    Thanks for listening to this suggestion. If anyone currently has a solution they are using with aMember to handle brute force attacks. logging & blocking, it would be great to hear from you.

    Aly
  2. alex

    alex aMember Pro Customer Staff Member

    Joined:
    Jan 24, 2004
    Messages:
    6,021
    Hi Aly,
    aMember is currently blocking brutefoce attacks. After several failed attempts, it adds serious delay so continuing bruteforce attack becomes not-practical. It blocks by both username tried and IP address.

    Permanently banning IP is not a solution these days by 2 reasons:
    - most IP in today world is dynamic. Another hour this IP will belong to another user;
    - most dangerous attacks comes not from attacker IP, but from botnets (read: from innocent user computers infected by virus).

    I agree that aMember admins deserve more information about this, and we will implement viewing of records regarding bruteforce protection. Right now, it can be found in am_failed_login mysql table.
  3. karyng01

    karyng01 aMember Pro Customer

    Joined:
    Jul 30, 2008
    Messages:
    71
    Hi Alex

    Thanks for the explanation, I also saw the CAPTCHA feature as well , which is great.

    We had been hit by a botnet, brute force attack on several WordPress sites. I know not aMember but dealing with the attack we found it useful to have a dynamic IP address blocking plugin, http://wordpress.org/plugins/limit-login-attempts/ that monitors incoming IP addresses and blocks them for a set time period (60-120 min) then after repeated use it blocks them for 24-48 hours.

    Even though the IP addresses are dynamic and bot net based, they used 100's of them, this helped cut down on the attack vector. Combined with CAPCHA, time delay & IP blocking was the best we could do.

    Being notified of an attack via email was a great feature and prompted me to rename admin usernames & password, using 30-40 random characters. Appreciate any help you can give to notify us of attacks via email and log files.

    Aly
  4. pjman

    pjman Member

    Joined:
    Oct 18, 2013
    Messages:
    51
    I had a series of huge bruteforce attacks to my site over the past month. Often sending the load near 100 on the server. For periods of 48 hours. Basically making everything inoperable. The best solution was to only allow countries that have made purchases on my site to connect my server via a firewall setting.

    The minute I put that directive into my firewall (limiting it to 23 countries that actually have ever made a purchase) the load dropped to 1 and they gave up after that. If you get hit, check your analytics for which countries have made purchases and limit your site to them.
    caesar likes this.

Share This Page