Increased Attack Rate, why from 127.0.0.1?

  • Hi, I guess that the attacks were blocked since I’m not using those themes/plug-in and no less since I have Wordfence, thats ok. The alert mentioned 180+ attacks twice for every website, progressively trying one after another.

    My concern is about two other aspects rather than what the attacks could lead to:

    1. Why the attacks are coming from 127.0.0.1?
    2. Why the ip is not being blacklisted after the first attack?
    • This topic was modified 5 years, 4 months ago by Syncly.it.
    • This topic was modified 5 years, 4 months ago by Syncly.it.

    The page I need help with: [log in to see the link]

Viewing 10 replies - 16 through 25 (of 25 total)
  • Thread Starter Syncly.it

    (@elnath78)

    Hi @wfphil

    Maybe canned was not the right term, I didn’t mean automated like from a bot but rather a copy/paste since I see the option with its full description.

    However back to my former question I need to rephrase it; i was not generally asking why Wordfence failed detecting the IP, but rather why it failed only on XSS attacks while working fine with other login attemps.

    Also was it a temporary bug of Let Wordfence use the most secure method to get visitor IP addresses option, that is now resolved or should I switch to Use the X-Real-IP HTTP header permanently due to having those websites hosted at Cloudways?

    Plugin Support wfphil

    (@wfphil)

    Hi @elnath78

    The type of attack would be irrelevant as the IP detection in Wordfence needed improvement.

    We released a fix in version 7.3.6:

    Fix: IP detection at the WAF level better mirrors the main plugin exactly when using the automatic setting.

    However, I still recommend that you use the setting Use the X-Real-IP HTTP header. Only use if you have a front-end proxy or spoofing may result

    Thread Starter Syncly.it

    (@elnath78)

    Hi @wfphil

    It seems that the XSS attacks stopped, I’m not sure but possibly blocked at hosting provider level.

    About my other ticket of some months ago, was you able to schedule a release date to make distinction between failed and banned login attemps when using a real user respect a common/missing user?

    Plugin Support wfphil

    (@wfphil)

    Hi @elnath78

    XSS attacks are very common so your hosting provider may be using a firewall installed at the server level but that is something you would have to ask them.

    With regards your feature request then all feature requests are discussed by the team and given careful consideration so you may see this in a future version of Wordfence here:

    https://www.ads-software.com/plugins/wordfence/#developers

    Thread Starter Syncly.it

    (@elnath78)

    Hi @wfphil

    I wanted to update you about this XSS attacks, it now correclty lookup the address IP of the attacker, yet it is allowed to perform multiple (120+) attacks without blacklisting the attacking IP, why it is not blocked after the first attack?

    https://share.creoweb.it/9362a4bb.jpg

    Plugin Support wfphil

    (@wfphil)

    Hi @elnath78

    Thank you for the update.

    If you have a message in red on the Wordfence Live Traffic tool page feed saying that the XSS attack was blocked then there is nothing more to do as the firewall is doing its job of blocking the attack automatically for you.

    Remember that Wordfence cannot stop any IP address from making requests to your web server.

    I will mark this as resolved for you.

    Thread Starter Syncly.it

    (@elnath78)

    Hi @wfphil

    You probably didnt read my last message, the firewall blocked 120+ attacks, this means that it is not correctly black listing the attacker IP but rather allow it to access the website and perform another attack. It should black list the attacker IP after the first XSS or other form of attack and prevent it to keep trying.

    Plugin Support wfphil

    (@wfphil)

    Hi @elnath78

    Thank you for the update and I did read your previous reply.

    All attacks are being successfully blocked after the first attack. As mentioned in my reply Wordfence cannot prevent any IP addresses from making requests to your web server. If any requests are seen as being malicious or potentially malicious then they are automatically blocked.

    If you are specifically enquiring about the IP address blacklist feature in Wordfence, that is only available to customers of the premium version of Wordfence, then you will need to send your questions to presales [at] wordfence [dot] com as we are forbidden from discussing the premium version of Wordfence in the forum.

    Thread Starter Syncly.it

    (@elnath78)

    Hi @wfphil

    Sorry if I wasn’t too clear, I have set a rule to block IP that fail a given number of login and to block login using user names that doesn’t exists.

    I thought that blocking an IP and henche refusing all the data sent from it, would be a smarter way to prevent further XSS attemps rather than filtering them one by one. If an IP performs any kind of attack, should be blacklisted and not even consider the data sent thought.

    Plugin Support wfphil

    (@wfphil)

    Hi @elnath78

    Thank you for the update.

    Hackers will often use multiple IP addresses and some hackers have enormous pools of IP addresses that they can use. Therefore you won’t be able to catch up with them as they change IP addresses. You can waste a lot of time blocking IP addresses when the firewall is already automatically blocking malicious requests for you so that you don’t have to do anything.

    If you do decide to permanently block IP addresses manually in Wordfence then it is not always the best solution as outlined here:

    https://www.wordfence.com/blog/2017/11/should-permantly-block-ips/

Viewing 10 replies - 16 through 25 (of 25 total)
  • The topic ‘Increased Attack Rate, why from 127.0.0.1?’ is closed to new replies.

Tags