Brute Force/Unique IP/Simultaneous Login

TheHotte84 · 21 March 2019 13:34

Hi there,

i have some problems with blocked users due to s2member Brute Force/Unique IP/Simultaneous Login settings.

Is there a way to see the data s2member is logging? Where are the IP address stored for example which s2member uses to decide if a user login should be blocked? Any way to see this info?

Just a hint for the database structure would be great. If there is no visualisation i can do a bit of mysql and php myself. But of course i need a possibility to access these data.

I just want to have the possibility to see what is stored and whats happening if a user asks me why he is blocked.

clavaque · 22 March 2019 00:30

Hi Torsten.

I hadn’t checked before, so I looked it up now. The login attempts of the same IP are counted and saved as a transient in the WP “options” table.

See: \s2member\src\includes\classes\brute-force.inc.php

		/**
		 * Tracks failed login attempts.
		 *
		 * Prevents an attacker from guessing Usernames/Passwords.
		 * Allows only 5 failed login attempts every 30 minutes.
		 *
		 * @package s2Member\Brute_Force
		 * @since 3.5
		 *
		 * @attaches-to ``add_action('wp_login_failed');``
		 *
		 * @param string $username Expects the $username to be passed in through the Hook.
		 */
		public static function track_failed_logins($username = '')
		{
			foreach(array_keys(get_defined_vars()) as $__v) $__refs[$__v] =& $$__v;
			do_action('ws_plugin__s2member_before_track_failed_logins', get_defined_vars());
			unset($__refs, $__v);

			if(($max = $GLOBALS['WS_PLUGIN__']['s2member']['o']['max_failed_login_attempts']))
			{
				$exp_secs = strtotime('+'.apply_filters('ws_plugin__s2member_track_failed_logins__exp_time', '30 minutes', get_defined_vars())) - time();
				// If you add Filters to this value, you should use a string that is compatible with PHP's strtotime() function.

				$ip = c_ws_plugin__s2member_utils_ip::current(); // Default value.
				if(!empty($GLOBALS['s2member_pro_remote_op_auth_check_user_ip'])
				   && c_ws_plugin__s2member_utils_conds::pro_is_installed()
				   && c_ws_plugin__s2member_pro_remote_ops::is_remote_op('auth_check_user')
				) $ip = $GLOBALS['s2member_pro_remote_op_auth_check_user_ip'];

				$transient = 's2m_ipr_'.md5('s2member_transient_failed_login_attempts_'.$ip);
				set_transient($transient, (int)get_transient($transient) + 1, $exp_secs);
			}
			do_action('ws_plugin__s2member_after_track_failed_logins', get_defined_vars());
		}

https://codex.wordpress.org/Transients_API

I hope that helps.

TheHotte84 · 22 March 2019 10:11

Hi Christian,

thanks for your reply.

i was able to find the transients saved in the database. It looks like that:

|    374127 | _transient_s2m_ipr_299c90a09d8989f8f0909f8f90f0 | a:2:{s:12:"95.XX.XXX.XX";i:1553204427;s:13:"160.XXX.XXX.XXX";i:1553230551;}

So i think a user is recorded with two different ip addresses. Fine. But which user is it? I am missing the connection between this transient and the user, which will be blocked if to many ip addresses are recognized with his account login.

I hoped to find the user id or the username to identify the user. Any idea how to find the corresponding user?

clavaque · 23 March 2019 12:40

It doesn’t look like the username is saved with the login attempt, and the IP is not saved for the user because the login didn’t succeed.

More than a login log feature, this is to specifically prevent the attacks. I think it could be expanded, but I understand why Jason didn’t go that far with this.

I think you can combine the power of this restriction, with the logging that another plugin provides, e.g. https://wordpress.org/plugins/user-login-history/

TheHotte84 · 23 March 2019 16:31

Thanks for the hint. I’ll give it a try.

bopters · 24 March 2019 04:28

I disable the s2 login protection and use WordFence for that (and more) security features. You even get a nice dashboard to see who’s blocked and unblock them.