All ip logs as the same ip

After looking into this further, I figured out what the 10.189.254.5 address is. Under server info in sucuri, it says that ip is the remote address. I’m assuming this is an issue with the web host, but if anyone has some suggestions I would greatly appreciate it. Right now I can’t lock whoever this is out, and I’d really like to. Thanks again.

Maybe “Remote Address” is not the best name for that thing, web developers generally understand what it means because that is the name used under the hood, it should actually say something like “User’s IP Address”. I use the “Site Info” page to troubleshoot issues in Sucuri’s client websites, we offer a firewall as one of our premium products and when this service is active the plugin must be re-configured to use a different server global variable to determine the real user’s IP address.

If your current IP is “168.78.44.105” but you are seeing “10.189.254.5” in the “Remote Address” row, then it means that your Internet connection is being filtered by a proxy or something like that. The proxy overrides the content of the global server variable that holds the IP and replaces it with its own address, then creates a new variable named “X-Forwarded-IP” (actually the name of this variable may be different) to hold the real user’s IP.

So, lets try this. Go to the plugin’s settings page and enable the option identified by the name “Support reverse proxy”, then go back to the “Site Info” page and check if the “Remote Address” has the real IP.

Let me know if this works for you.

Thank you for the quick response, and the detailed explanation. I enabled reverse proxy, and the site ip changed to my current public ip, so that seemed to have done something. I will watch the logs for the culprit spamming my site login and see if that shows the real ip. I will report back once I see if the log reflects their ip.

That did the trick. Thanks for your help.

Marking resolved