[Defender] Multiple login lockouts = permanent ban?

We know Defender will lockout multiple login failures for some number of seconds. Is there a second tier? .... After more than N such lockouts an IP address will get a permanent ban? If not, I request this enhancement. (Sure, and move this enquiry to Feature Requests only if there is no other suggestion.)

For now, if there is a hook for when an IP is temporarily locked, then we should be able to count events ourselves and then add the IP to the ban list. If that's the best solution then I can do this, but I'm really hoping a staff member will post the small function required to do this.

And if the hook/functions are not available to do that (lockout event and add IP to blacklist/whitelist) then please add this as a request for these features.

Thanks.

  • Adam Czajczyk

    Hello Tony G,

    I hope you're well today and thank you for your question!

    There's an action hook in the Defender's IP Lockouts module (which handles both login and IP lockouts):

    do_action( 'wd_login_lockout', $model, $force, $blacklist );

    It's called right after putting a login lockout and $model->ip contains an IP of a locked user. There's a method to add IP to the blacklist as well in the same module so I assume it would be possible to achieve what you described. However, it's just my understanding and I'm not that proficient with Defender's code and internal "code logic" so I have forwarded your question to our developers and let's see what they'll come up with then.

    We'll update the ticket here as soon as we know more on this.

    Kind regards,
    Adam

  • Konstantinos Xenos

    Hi Tony G !

    Based on the correct hook that Adam Czajczyk replied with we can read the 'Lockout Logs' to see how many times an IP has been locked out and then act accordingly.

    Installation:
    1) Download the .zip that contains defender-blacklist-after-x-lockouts.php from HERE.

    2) Create a folder named mu-plugins into your "wp-content" directory

    3) Upload the defender-blacklist-after-x-lockouts.php that is contained in the .zip you downloaded. The final path should look like "\wp-content\mu-plugins\defender-blacklist-after-x-lockouts.php"

    4)[OPTIONAL] Currently it is set to Blacklist on 3 Lockouts. To change that you can edit the file and at Line 16 change the $blacklist_after = 3; into any number you like.

    5) Done, you'll start seeing the Blacklist IPs getting populated as well.

    If you want to test this do it preferably on some Dev site of course -or- use a different IP when testing so you don't lockout yourself accidentally. You'll have to remove your IP from the Whitelist as well.

    Tell me if this worked as you've expected !

    Regards,
    Konstantinos

  • Tony G

    This is great. I will check it out in a few days. Thank you, Konstantinos Xenos ! I believe I can use this to do other things that have been suggested in these forums. I'll experiment and post a note later.

    Example 1:
    Rather than just pulling from the log, the same code can probably be used to read from a list if IP addresses that have been downloaded. And whatever is in the database can be queried for upload. With this, a central repository can hold a list of blacklisted IPs, and that repo can be updated by any of our sites, and then checked by all of the others.

    Why? I'd prefer to be PRO-active than RE-active. I'd like to blacklist an IP before they get to my system. For all I know, the next badguy is going to be successful ... but they can't if they've already been blocked elsewhere for the same bad behaviour.

    I would also timestamp IPs that are blocked like this. Chances are that bad guys are going to move around, and a bad IP today might be valid about a month later. So what I'm really looking at is not just a 300 second lockout (available from Defender Settings) but a 30+ day lockout as well for these persistent offenders.

    Example 2:
    When we find multiple events from a single IP, we can do a lookup to see what host may be providing that IP to one of their customers. We should be able to generate an email to an address like abuse@ for these hosts in the hope that they can take some action. While I think there's merit to this, in the real world, I have tried sending email to a couple hosts and all they do is forward the email to their customer as a "we know what you're doing" - they don't actually act on the info. :slight_frown:

    Example 3:
    Use the log info to raise a flag to the admin in a previously banned IP is registering on the site, or if other IPs in that same block/host are registering. While not very accurate this could provide a hint that something Might be going on.

    A little information goes a long way. Thanks again...

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.