Proxy IP Addresses in Increased Attack Rate emails?

  • Resolved donikatz

    (@donikatz)


    7 years, 9 months ago

    Hello,

    For some reason the “Increased Attack Rate” emails we receive always list only our proxy addresses, while everything else (“User locked out from signing in” emails, “Admin Login” emails, Live Traffic, Blocked IPs) shows the true client IPs.

    “How does Wordfence get IPs” is set to the default “most secure” option, but if everything else is able to display the x-forward-for as expected, doesn’t seem like I should change that setting, does it? But why are the “Increased Attack Rate” emails displaying differently — do they use a different mechanism?

    Thanks, Doni

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hi Doni,
    May I have a screenshot or a snippet of what you see in “Increased Attack Rate” emails?

    Also, please check (Wordfence > Tools => Diagnostics => IPs) and make sure that your correct IP is displayed there.

    Thanks.

    Thread Starter donikatz

    (@donikatz)

    Actually, I thought it was showing IPs from our load balancers, but they’re the IPs from the redirect hosts behind the load balancers (which are in front of WP).

    Diagnostic: REMOTE_ADDR 192.168.70.20
    Which is the internal IP of one of our redirect hosts.

    Increased Attack Rate email:

    June 16, 2017 3:10pm 192.168.66.173 (Unknown) Blocked for a Malicious File Upload in file: files=DeleteHandler.php
    June 16, 2017 3:08pm 192.168.66.173 (Unknown) Blocked for Directory Traversal – wp-config.php in POST body: rootpath=../../../wp-config.php
    June 16, 2017 3:07pm 192.168.70.20 (Unknown) Blocked for a Malicious File Upload in file: files=aoVtlXNs.php
    June 16, 2017 3:07pm 192.168.66.173 (Unknown) Blocked for Directory Traversal in query string: filename=../../../../../../../../../etc/passwd
    June 16, 2017 3:07pm 192.168.70.20 (Unknown) Blocked for Directory Traversal in query string: fileName=../../../../../../../../../../etc/passwd
    June 16, 2017 3:07pm 192.168.70.20 (Unknown) Blocked for LFI: Local File Inclusion in query string: filepath=/etc/passwd
    June 16, 2017 3:07pm 192.168.70.20 (Unknown) Blocked for LFI: Local File Inclusion in query string: url=/etc/passwd
    June 16, 2017 3:07pm 192.168.70.20 (Unknown) Blocked for LFI: Local File Inclusion in query string: file_link=/etc/passwd
    June 16, 2017 3:07pm 192.168.70.20 (Unknown) Blocked for Directory Traversal – wp-config.php in query string: files=../../../../wp-config.php
    June 16, 2017 3:07pm 192.168.70.20 (Unknown) Blocked for Slider Revolution: Local File Inclusion

    So it’s checking REMOTE_ADDR and not X-FORWARDED-FOR, even though everything else seems to be checking X-FORWARDED-FOR.

    For example, a recent “User locked out from signing in email”:
    User IP: 120.25.225.89

    Thanks!

    • This reply was modified 7 years, 9 months ago by donikatz.
    Thread Starter donikatz

    (@donikatz)

    I switched to the option to use X-Forwarded-For to get IPs, and everything still seems to be working. So I’ll see what happens in the next “Increased Attack Rate” email.

    Thread Starter donikatz

    (@donikatz)

    Update: After switching to use X-Forwarded-For to get IPs, “Increased Attack Rate” emails now show the correct IPs.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Proxy IP Addresses in Increased Attack Rate emails?’ is closed to new replies.