Backend page visits/login attempts

[Entice]

So I've been monitoring one of my sites' login sessions and noticed visits to the backend login page. While I believe having the session throttle module installed does its' magic, I was still concerned about any login attempts. 

So I decided to create add a honey pot into the admin login process since no one should be trying to login except me under a specific username. Before even the session login occurs in the module, if the username doesn't match, it

1. Logs the attempt
2. Saves the ip to a list on an admin page
3. Redirects the user to the 404 page
4. Site immediately checks if ip address exists in the banned list.
5. Throws error on all pages thereafter for that ip address.

This may be going a bit overboard but after seeing constant visits to the backend login page that I believe only I should be visiting, it peaked interest as to what ways I could further protect the back end. As long as I'm careful not to ban myself, should take care of those attempts.

I know I may have a chance of banning an IP shared by many such as a cafe or cell phone network, let alone having ips cycle around,  but we'll see how it goes.

Anyone else have any thoughts on methods of protecting the backend of processwire? (Aside from https://processwire.com/docs/security/admin/)

[gmclelland]

You could use Cloudflare.com's DNS and set a Page Rule to set the security level to "High" for your admin url.  I've never had much luck blocking IP addresses.

[flydev]

9 hours ago, Entice said:

So I decided to create add a honey pot into the admin login process since no one should be trying to login except me under a specific username. Before even the session login occurs in the module

I am highly interested to see how in term of code you manage this. Did you hardcoded the login name in a hook or something like that ?

As you say that you are monitoring a login for a specific username,  you could prevent a login by hiding deeper the admin by naming the page with something complex you only know, eg. an url based on a HASH.

[Entice]

7 hours ago, flydev said:

I am highly interested to see how in term of code you manage this. Did you hardcoded the login name in a hook or something like that ?

As you say that you are monitoring a login for a specific username,  you could prevent a login by hiding deeper the admin by naming the page with something complex you only know, eg. an url based on a HASH.

It's nothing fancy, but I currently don't have it tied to a hook yet. It's a scrap job as I was just exploring ideas to monitor login attempts to the backend.

I've placed it where the login occurs for the backend in the \wire\modules\Process\ProcessLogin\ProcessLogin.module

if($name != "admin" // Or whatever username){
	// Log Attempt
	$this->wire('log')->save('attempts', long2ip($this->wire('session')->getIP(true)).':'.$name.':'.$pass);
	// Get Honeypot Page that contains textarea of banned ips	
	$honeypot = $this->pages->get("/processwire/honeypot/");
	// Get IP Address
	$ip = long2ip($this->wire('session')->getIP(true));
	// Concatenate to textarea and Save Page
	$honeypot->of(false);
	$honeypot->banned = ($honeypot->banned != "")?($honeypot->banned.','.$ip):($ip);;
	$honeypot->save();
	$honeypot->of(true);
	// Redirect to 404
	$this->wire('session')->redirect('/404/');
}
// The rest of the login occurs below:
if($this->wire('session')->login($name, $pass)) {
	//....
}

I'm sure you can hook it before the session login but I didn't bother looking into it so I'm going to just leave it in the process module for now and see what gets captured. It might just be google previewing the url before I visit it or something.

We'll see.

[flydev]

Thanks you very much.

FYI the problem you will encounter with a modified core module, its all the modified code will be ripped off when updating the site.