IPv6 breaks Login Lockdown Feature

  • Resolved st01en

    (@st01en)


    8 years, 11 months ago

    When I try to access my site via IPv6 I get the following error:
    ERROR: Login failed because your IP address has been blocked. Please contact the administrator.

    If I disable IPv6 on the computer accessing the site, I’m able to login and can verify that no IPv6 addresses appear in the Locked IP Addresses list.

    Possibly related: Reaching the number of failed attempts when using IPv6 does not add an IPv6 address to the Locked IP Addresses list.

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, just curios did you by any chance add an IPv6 address to the Login Whitelist tab under Brute Force settings?

    Thread Starter st01en

    (@st01en)

    No, there are no IPs (v4 or v6) there, and that feature is not turned on.
    Will try it out and see what happens.

    Thread Starter st01en

    (@st01en)

    I’m not able to add an IPv6 address to the whitelist, I get this error:
    2001:470:81e5::1 is not a valid ip address format.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Thank you for getting back to me. The plugin developers will investigate further your issue.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    I’m not able to add an IPv6 address to the whitelist, I get this error:
    2001:470:81e5::1 is not a valid ip address format.

    You are running an old version of the plugin. We added IPv6 support for the whitelist feature in last release.

    Thread Starter st01en

    (@st01en)

    I only installed it 1 week ago, and it updated 3 days or so ago.
    The system info tab gives me this for the AIOWPS plugin:

    All In One WP Security 4.0.2 https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin

    Thread Starter st01en

    (@st01en)

    Also, (and I should have mentioned this) it appears that this only broke with the 4.0.2 update. When I first installed it, I was able to log in with IPv6.

    Thread Starter st01en

    (@st01en)

    Some more testing shows that it only breaks there are ip addresses in the block list.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Ok thanks for the info. I will investigate further and apply a fix if necessary.

    Thread Starter st01en

    (@st01en)

    Just updated to 4.0.4 and retested, same issue.
    Let me know if you need more info.

    Thread Starter st01en

    (@st01en)

    Still busted, looks like this is the offending bit of code (in classes/wp-security-utility-ip-address.php )
    /*
    * Returns the first three octets of a sanitized IP address so it can used as an IP address range
    */
    static function get_sanitized_ip_range($ip)
    {
    global $aio_wp_security;
    //$ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
    $ip_range = ”;
    $valid_ip = filter_var($ip, FILTER_VALIDATE_IP); //Sanitize the IP address
    if ($valid_ip)
    {
    $ip_range = substr($valid_ip, 0 , strrpos ($valid_ip, “.”)); //strip last portion of address to leave an IP range
    }
    else
    {
    //Write log if the ‘REMOTE_ADDR’ contains something which is not an IP
    $aio_wp_security->debug_logger->log_debug(“AIOWPSecurity_Utility_IP – Invalid IP received “.$ip,4);
    }
    return $ip_range;
    }

    This will not handle IPv6 addresses correctly.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Ok thanks.
    I have made some changes to the code to rectify this issue.
    If you would like me to send you a beta version of the plugin to try please get in touch with me using my contact form.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘IPv6 breaks Login Lockdown Feature’ is closed to new replies.