Lockdown locks ME out

  • Resolved jimmycrackedcorn

    (@jimmycrackedcorn)


    4 years, 5 months ago

    I’ve been using your plugin for a long time. I’ve only recently begun adding SSL certificates to my web sites.

    Now that the sites have SSL on them, the IP address that gets locked out seems to typically be my own IP address. I asked my support folks and they said:

    Hello,

    The 207.246.240.x IP addresses that are appearing on your site are the Cloudsites load balancer IP addresses, as all SSL traffic to your site using SNI will appear as though it is coming from the load balancer. The best way to fix this would be to adjust the settings for your Login Lockdown plugin so that it is identifying IP addresses by using the “X-Forwarded-For” header. This will prevent those load balancer IP addresses from causing blocked logins and should fix the issue you are encountering. I hope this information helps, and please let us know if there is anything else we can assist with.

    Regards,
    John M
    Liquid Web Support

    Are you able to use the “X-Forwarded-For” header as John suggests?

    Thank you.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter jimmycrackedcorn

    (@jimmycrackedcorn)

    I am now testing the plugin “Limit Login Attempts Reloaded” as a replacement for yours.

    @jimmycrackedcorn – the result will be the same, unfortunately. Any security that is based of off ip address won’t work on a system that sees all traffic as coming from the same ip address, such as the one you are using now.

    The reason I am not checking against the X-Forwarded-For header is because it can be spoofed by the client, which would make it useless as a blocking measure:

    https://www.f5.com/company/blog/security-rule-zero-a-warning-about-x-forwarded-for

    Bots could just send a new IP address in that field each time, thus circumventing the limit on the number of login attempts. I am working on some other means to secure the login form under those scenarios though.

    -Michael

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Lockdown locks ME out’ is closed to new replies.