Blocking Empty Usernames

Andy · 28 August 2019 09:25

Hi all,

I’m currently testing wp-fail2ban before switching to the bronze version. I found out, that more and more brute force scripts are using empty usernames (on wp-login as well as on xmlrpc).

I use iThemesSecurityPro for general settings, but blocking should really be done on Fail2Ban level.

Can you confirm that empty usernames are not triggering any logging, or is it something which can be configured/changed?
Adding a ‘’ to the WP_FAIL2BAN_BLOCKED_USERS array did not work.

id               => 11206
module           => lockout
type             => action
code             => username-lockout::
timestamp        => 2019-08-28 09:20:20
init_timestamp   => 2019-08-28 09:20:19
remote_ip        => 142.44.162.xxx
user_id          => [empty string]
url              => https://www.example.com/wp-login.php
memory_current   => 13542688
memory_peak      => 13568384
data             => Array
    module               => brute_force
    host                 => [boolean] false
    user_id              => [boolean] false
    username             => [empty string]
    module_details       => Array
        type     => brute_force
        reason   => too many bad login attempts
        host     => [integer] 5
        user     => [integer] 10
        period   => [integer] 5
    whitelisted          => [boolean] false
    blacklisted          => [boolean] false
    lockout_type         => brute_force
    lockout_start        => 2019-08-28 11:20:19
    lockout_start_gmt    => 2019-08-28 09:20:19
    lockout_expire       => 2019-08-28 11:35:19
    lockout_expire_gmt   => 2019-08-28 09:35:19
    lockout_username     => [empty string]

Regards,
Andy

invisnet · 29 August 2019 15:09

That’s an interesting one… I’m guessing the password is also blank.

Right now there’s no way to block empty usernames as there was never a need; however, as attacks evolve so must defences, so I’ll add this to 4.3. I’m hoping to release a beta version next week.

Andy · 29 August 2019 15:22

Hi,
I’ve also never seen this, I also don’t know the reason because usually wordpress does not allow any login without username…
The password field for some reason is filled…

    array (
  'host' => 'www.example.com',
  'date' => '2019-08-29T14:43:24+00:00',
  'ip' => '157.7.204.92',
  'data' =>
  array (
    'log' => '',
    'pwd' => '2008',
    'wp-submit' => 'Log In',
    'redirect_to' => 'https:// www.example.com/wp-admin/',
    'testcookie' => '1',
  ),
)array (
  'host' => 'www.example.com',
  'date' => '2019-08-29T14:54:53+00:00',
  'ip' => '62.210.85.51',
  'data' =>
  array (
    'log' => '',
    'pwd' => '2007',
    'wp-submit' => 'Log In',
    'redirect_to' => 'https:// www.example.com/wp-admin/',
    'testcookie' => '1',
  ),
)array (
  'host' => 'www.example.com',
  'date' => '2019-08-29T15:13:06+00:00',
  'ip' => '162.214.21.81',
  'data' =>
  array (
    'log' => '',
    'pwd' => '2006',
    'wp-submit' => 'Log In',
    'redirect_to' => 'https:// www.example.com/wp-admin/',
    'testcookie' => '1',
  ),
)

There are some empty passwords as well, but most of them are the usual suspects in password brute force…

'pwd' => '123456789',
'pwd' => '123456789',
'pwd' => '1234',
'pwd' => '1234',
'pwd' => '1234',
'pwd' => '12345678',
'pwd' => '12345678',
'pwd' => '12345678',
'pwd' => '123123',
'pwd' => '123123',
'pwd' => 'demo',
'pwd' => 'blah',
'pwd' => 'blah',
'pwd' => 'hello',
'pwd' => 'hello',
'pwd' => '1234567890',
'pwd' => '1234567890',
'pwd' => '680',
'pwd' => 'zx321654xz',
'pwd' => '',
'pwd' => '6',
'pwd' => 'logitech',
'pwd' => 'root',
'pwd' => 'F*uckYou',
'pwd' => 'preview',
'pwd' => '11',
'pwd' => 'ayoub93',
'pwd' => '1qaz2wsx',
'pwd' => '1qaz2wsx',
'pwd' => '1111',
'pwd' => 'abc123',
'pwd' => 'password123',
'pwd' => '',
'pwd' => 'admin12345',
'pwd' => 'test1234',
'pwd' => 'test1234',
'pwd' => 'pass1234',
'pwd' => 'pass1234',
'pwd' => '00',
'pwd' => 'admin!@#',
'pwd' => '112233',
'pwd' => 'guest',
'pwd' => 'guest',
'pwd' => 'q1w2e3r4',
'pwd' => 'q1w2e3r4',
'pwd' => '2019',
'pwd' => '2019',
'pwd' => '2018',
'pwd' => '2018',
'pwd' => '2017',
'pwd' => '2017',
'pwd' => '2016',
'pwd' => '2016',

invisnet · 30 August 2019 16:12

Very odd - I’m not sure what they’re trying to achieve.

Looking through the login process again I don’t think there’s any benefit to blocking empty usernames; WP does a good job already. However, logging them to be caught by wordpress-soft.conf seems like a good idea.

Andy · 2 September 2019 14:04

I don’t have a clue neither - for sure I see some attacks using SQLi or RFI in the Referrer headers as they try to also get a backdoor using a possible logging system, but without a username I assume it does not make sense to brute force.

Is there any possibility to use a hook or action, that I can use in other plugins, to trigger a WPfail2ban log to the auth.log?
I also use iThemesSecurityPro - and I would like just to add a fail2ban log to some parts of the plugin - as the only real blocking for me is on iptables layer, not on application layer.