How to block malicious traffic from spoofed IP ?

  • Resolved userpqr

    (@userpqr)


    6 years, 5 months ago

    Recently, I see some malicious traffic shown in Wordfence Live Traffic in my website. If I click on details, it shows as coming from my own server IP. Typically, they try to access some .php scripts to find out vulnerabilities. My question is, is there any way I can prevent this type of traffic ? Moreover, if such requests access any banned URL and gets blocked, what impact will it have on my server ?

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi @userpqr

    Getting your server’s IP blocked is something you need to avoid as the server won’t be able to connect to itself which will break many plugins and themes including Wordfence.

    One thing you need to make sure about here is that Wordfence is detecting IPs correctly on your site, I’m not sure if all the entries in Live Traffic are reporting the same server IP or only those linked to the vulnerabilities scan trials?

    A quick way to check that is to:
    Go to (Wordfence > Tools > Diagnostics > IP Detection) and see which one has the word “In use” beside it. That option must reveal your real IP address, which you can check using this tool for example.

    If your IP isn’t being detected correctly, you will have to adjust “How does Wordfence get IPs” option to the value that was reporting the correct IP address in the previous step.

    Also, sharing a screenshot showing some of these requests in Live Traffic will help me getting a better idea about this issue.

    Thanks.

    Thread Starter userpqr

    (@userpqr)

    Hi @wfalaa

    Thanks for the response. I have checked the IP in use. I see Wordfence is using CF-Connecting-IP and it is detecting my IP correctly. Also, Wordfence is using the option – Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites. (Recommended) I am using Cloudflare also. Do I need any change here ?

    Also, I saw some malicious traffic in Live Traffic section, that showed malicious attempts from IP of my server. I think with packet inspection we can discard the packets that have conflicting IPs, especially if they spoof IP of any internal server. I was wondering do we get any such option in Wordfence ?

    Thanks,

    Thread Starter userpqr

    (@userpqr)

    To add some clarity in the response – Not all traffic in Live Traffic section shows my server IP. Only some requests do. Those requests typically try to access some vulnerable or banned urls. So, I believe the problem is IP address spoofing.

    I searched and found out that if I can do ingress filtering to drop packets with conflicting IP, the problem may be solved. I also saw some articles (e.g. https://www.cyberciti.biz/tips/linux-iptables-8-how-to-avoid-spoofing-and-bad-addresses-attack.html ) that says it is advisable to block own server IP in network interfaces. I am not sure if that helps. Again, I use CSF and it does not allow blocking own server IP. Is there any other way to prevent this type of hacking attempts ?

    Hi @userpqr

    Please set “How does Wordfence get IPs” option to “Use the Cloudflare ‘CF-Connecting-IP’ HTTP header to get a visitor IP. Only use if you’re using Cloudflare.”. Then watch the Live Traffic feed and let me know if you noticed similar requests.

    Thanks.

    Thread Starter userpqr

    (@userpqr)

    Hi @wfalaa

    Thanks for the response. It worked.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘How to block malicious traffic from spoofed IP ?’ is closed to new replies.