Sucuri Alert Showing Login from Server IP

  • Resolved hktang

    (@hktang)


    5 years, 9 months ago

    1. There was a successful login by a colleague.
    2. A Sucuri Alert was sent, citing the server’s IP, instead of the remote IP.

    Is it something to be concerned?

    When I access the site from the same location with a different user, the correct IP (i.e. not the server IP) shows up in Sucuri log.

Viewing 13 replies - 1 through 13 (of 13 total)

  • I just noted that, too. My logs here show this started March 9.

    Per hktang, “Is it something to be concerned?”

    Having this problem on SOME but not all sites also.

    I am seeing on Hostgator sites. Hostgator updated their EasyApache to 4 a few weeks ago. Now my site with sucuri wp plugin is logging login attempts with the server ip address. I noticed that when I look at the x_forwarded_for it shows only the server IP when I am connecting with https so I think it is a hostgator configuration error. I looked for the Forwarded variable but it is blank.

    Hello @fastrak,

    If you run a PHP script with print_r($_SERVER); do you see the correct IP address in “REMOTE_ADDR”, “HTTP_X_FORWARDED_FOR”, “HTTP_CLIENT_IP”, or something similar? Not all hosting providers set the forwarded IP address in the same form, so I expect some edge cases like this from time to time. Unfortunately, I cannot predict them all, so I rely entirely on user reports to display the correct IP.

    Let me know if you can share more information.

    I ran a php script already and here are my observations:
    For SSL:
    REMOTE_ADDR= 71.9.168.27
    HTTP_X_FORWARDED_FOR= 192.185.152.20
    HTTP_FORWARDED=
    HTTP_CLIENT_IP=

    For Non-SSL:
    REMOTE_ADDR= 71.9.168.27
    HTTP_X_FORWARDED_FOR= 71.9.168.27
    HTTP_FORWARDED=
    HTTP_CLIENT_IP=

    Thank you for the details.

    I think is better to talk with Hostgator and see if they can offer some explanation about the results. Meanwhile, you can use the “IP Address Discoverer” option located in “Sucuri Scanner > Settings > General” to select the server variable that will be used to display the correct IP address. This suggestion also goes for @hktang, @bdconnolly, and @mhschwarz as well.

    Let me know if you need more information.

    Will do. Thank you for the help.

    I’m having the same issue. I have a site where many people log in to post. Every notification I receive has my server IP and nothing seems to change this.

    Sorry, I think the reverse proxy settings was causing this. Fixed!

    Same here. This started with an Apache and PHP update from Bluehost on April 17. Since then, every time I log in Sucuri shows the host’s IP address. And, as of yesterday, Sucuri shows the IP address of anyone attempting to log in as the Host’s address.

    I have been in contact with BlueHost and they seem to think the problem lies in Sucuri’s plugin. This is very, very frustrating.

    It IS the plugin (in my experience). The HTTP Header setting needs to be set for REMOTE_ADDR but for some reason Securi changes it automatically every couple of weeks. Super annoying but easy to fix.

    Not sure how to do that.

    How can I fix this?

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Sucuri Alert Showing Login from Server IP’ is closed to new replies.

Tags