As of Magneto 1.9.3 Magento have finally added brute force protection to the downloader folder. As you may be aware even if you have changed your default admin path ie to anything other that /admin Magento connection is still accessible at yourdomain.com/downloader. The fix for this is to rename your downloader folder or move it out of the root folder so that it is not accessible. However, in order to use Connect you need to rename and it had a tendency to be forgotten. This means that the whole of the internet can have as many guesses at your usernames and passwords as they like.
As well as renaming the downloader folder when ever we find it we also run Fail2ban which monitors access to this fodler and will block IP addresses that fail to log in multiple times. However, Magento have now added a similar feature into the core of Magento. There is a new file in var/ called brute-force.ini which monitors login attempt to Magento connect.
brute-force-bad-attempts-count = 6 brute-force-diff-time-to-attempt = 360 brute-force-attempts-count = 3
Of course the downside is that you may find yourself locked out.
If you see “Access is locked. Please try again in a few minutes” then follow below instruction.
Solution:
brute-force-bad-attempts-count = 0
and you should be able to log in.
We still recommend you remove or rename the downloader folder for more complete security.
