Plugin picking up load balancer IP even though X_FORWARDED_FOR is set

  • Resolved viedu

    (@viedu)


    10 months ago

    On Friday, all users were being locked out of our site. Once the lockouts expired, and we were able to log in to the back-end, we noticed it was locking out the load balancer, not the individual user IPs. We have X_FORWARDED_FOR set as the $_SERVER variable to be used for detecting user IP addresses. The issue only happened that one time, but wondering if you have any insight into why that might happen, and what we can do to ensure it doesn’t happen again. Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @viedu,

    WP Security > Dashboard > Audit logs have “Failed login” event to filter,

    Can you please cross check for your load balancer ip records are there and if yes, can you please provide stacktrace for it using https://pastebin.com/ so I can cross check that if correct IP detection is used though why your load balancer ip used instead as per settings X_FORWARDED_FOR? correct IP address as per https://whatismyipaddress.com/ ?

    Please try disable below settings if any cronjob running locally and do have blank http headers with post request might be blocking that.

    WP Security > Firewall > Internet bots ban – Blank HTTP headers Ban POST requests that have a blank user-agent and referer

    Regards

    Thread Starter viedu

    (@viedu)

    Ok, here’s the pastebin: https://pastebin.com/v7DKRS2S

    We have over 14k new failed logins this morning, all with 10.1.x.x addresses (our load balancers are 10.1…)

    X_FORWARDED_FOR is showing the following: “Your IP address if using this setting: 66.60.182.202, 15.158.5.18”

    That matches whatsmyipaddress (66.60.182.202)

    The Blank HTTP Headers POST Ban setting was already disabled.

    Thanks,

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @viedu

    If X_FORWARDED_FOR method is selected though ip is two ipaddress with comma = “66.60.182.202, 15.158.5.18”’ it should consider the first as visitor IP 66.60.182.202.

    IF I cross check the audit log IP is 10.1.1.153 records so it must be some thing from your server trying run wp-login.php do you have the rename login page feature on?

    WP security > Brute force > Rename login page – enable rename login and remember that url to login it will stop access to wp-login.php

    Please try enable that.

    Regards

    Thread Starter viedu

    (@viedu)

    Thanks for your response. The 10.x IP address is the internal IP address of the load balancer which is the entire problem. Why isn’t the log using the X_FORWARDED_FOR address, and instead is using the actual address of the load balancer?

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    Hi @viedu,

    As per settings, your site uses X_FORWARDED_FOR?variable to detect IP Address. If it is 10.1.1.153?recorded means some how the X_FORWARDED_FOR is set to it or 127.0.0.1 which tries detect IP.

    As per the stack trace it is /wp-login.php script so you should try rename login page so it willl have less such failed login attemtps .

    XML RPC call of wp_getUsersBlogs is trying to authenticate the user which also reason many times falied loign audit logs. – WP Security > Firewall > Basic firewall rules tab > Completely block access to XMLRPC , Disable pingback functionality from XMLRPC Please check both and Save.”

    Regards

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Plugin picking up load balancer IP even though X_FORWARDED_FOR is set’ is closed to new replies.