Forum

Hi Hugo,
When I looked at the log file of my wordpress security pluging I keep seeing entries like this one...

User    Password 	IP Address      Date/Time               User-Agent
admin   hidden      92.60.114.159   7 mars 2016 8 h 41 min  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
admin   hidden      92.60.114.159   7 mars 2016 8 h 41 min  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
admin   hidden      92.60.114.159   7 mars 2016 5 h 47 min  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
admin   hidden      92.60.114.159   7 mars 2016 5 h 47 min  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
admin   hidden      92.60.114.159   7 mars 2016 2 h 54 min  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
admin   hidden      92.60.114.159   7 mars 2016 2 h 54 min  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; fr; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

My understanding is that Hiawatha should block IP 92.60.114.159 automaticly after 4 failed login...

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnInvalidURL = 60
BanOnMaxPerIP = 15
BanOnMaxReqSize = 300
BanOnWrongPassword = 4:900
BanOnSQLi = 3600
KickOnBan = yes
RebanDuringBan = yes
BanlistMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3, deny TrustedIP_4

Also I am using an hiawatha proxy at the front of it. I don't know if the two are related...

Could you please help me understand why the brute force attack are not blocked afer the time i Set in the config file?

Thank you

The four wrong passwords must be entered within a minute. After the minute, the counter is set to zero. According to your logfile, you have only two wrong passwords within a minute.

Hi Hugo,
Bellow are today's log..

323 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
322 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
321 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
320 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
319 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
318 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
317 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
316 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
315 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
314 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
313 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
312 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

On this log, I have 12 wrong passwords entered withing a minute.
Is this normal? I am missing the obvious here

Thank you

Sorry, here is the formated log

323 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
322 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
321 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
320 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
319 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
318 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
317 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
316 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
315 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
314 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
313 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
312 	administrator 	hidden 	5.153.238.103 	8 mars 2016 6 h 28 min 	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

The BanOnWrongPassword only works for Hiawatha's HTTP authentication (the PasswordFile setting). Is that one set or Wordpress's own login page being used?

Hi Hugo,
The Wordpress's own login page being used.
So is my understanding on the ban setting completly wrong?

Yes. Hiawatha has no sight on what applications do. The BanOnWrongPassword is only for Hiawatha's own HTTP authentication.

Hi Fred, i use fail2ban for this problem.