Is there a way to block user when host and IP are the same?

  • Resolved justwander

    (@justwander)


    4 years, 2 months ago

    Hello,
    Right now I am in the middle of an attack coming from all over trying to access the same pages. All of them are outside the US and in most cases the IP and host are the same.

    Is there a way to block users like this. I have yet to have a legitimate visitor who has the host matching the IP.

    Thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support WFAdam

    (@wfadam)

    Hello @justwander and thanks for reaching out.

    You can only block by IP or URL currently. What sort of pages are they trying to access? You could set up All Options > Advanced Firewall Options > Immediately block IPs that access these URLs to block any IP that tries to access these URLs.

    https://www.wordfence.com/help/firewall/options/#immediately-block-urls is a good resource for setting that up.

    If you are getting hit frequently from the same IP, you can also go to your Tools > Live Traffic and block the IP directly from there.

    Let me know if this helps!

    Thanks!

    Thread Starter justwander

    (@justwander)

    @wfadam,
    Thanks for helping out.

    This time around this they are trying to login. I have a very low reject number set since I am the only one logging in. So it seems they are just going through computers all over the world trying to hit the jackpot. (Mostly from third world countries.) They are going to be at it for a long time since my passwork is over 22 characters.

    My worry is in the middle of everything they will break in through another page. Maybe I worry too much but I think better safe than sorry.

    I wish there was a way to block a user using a matching host and IP. Even if that block is not left active permanently it could discourage someone and get them to move on.

    Lastly, could I put a temporary block on any IP that is not mine? I thought I remembered seeing that, I just can’t remember where.

    Plugin Support WFAdam

    (@wfadam)

    Thanks for responding @justwander

    You could always set up a Custom Pattern block, which is similar to what you are asking.
    https://www.wordfence.com/help/blocking/#custom-pattern

    You can specify a hostname and IP from there. I also recommend setting up 2FA on your account if you are worried about potential threats.
    https://www.wordfence.com/help/tools/two-factor-authentication/#how-to-enable-two-factor-authentication can walk you through how to set that up.

    Also what user names are they trying to use? If its standard user names like admin then you could also go to All Options > Brute Force Protection > Immediately lock out invalid usernames and enable this option.

    Let me know if this helps!

    Thanks!

    Thread Starter justwander

    (@justwander)

    Thanks @wfadam,
    Most of what you suggested I already do.

    what user names are they trying to use?
    Right now [login]. Over time I collected a list of them and they are all blocked.

    `If you are getting hit frequently from the same IP
    This attacker hits three or four times from one location then jumps to another. This gives a new set of attempts to login (my limit is two then block).

    set up a Custom Pattern block
    This I have been doing with some success. I have learned to set blocks with a wide enough net to block bad actors yet not so broad that visitors I want are kept out.

    go to your Tools > Live Traffic and block the IP directly from there
    I have the blocking page up in another tab so I can refer to live traffic and still be able to add notes to the block entry.

    I just wish the block page provided a way to block when IP equals host.

    Also, I know I saw it but can’t remember, where is the place where you can allow only one IP (mine) to access the site. Maybe if they can’t access login at all they will give up.

    Thanks again.

    Plugin Support WFAdam

    (@wfadam)

    The only way I could think something like that could work could be if you added your login URL to All Options > Advanced Firewall Options > Immediately block IPs that access these URLs. Then also added your IP to All Options > Advanced Firewall Options > Whitelisted IP addresses that bypass all rules.

    Please note that this feature is often misunderstood, and we have site admins who try to whitelist their home IP address on a broadband connection. Your broadband IP address is not a permanent IP address because it is dynamically assigned and will change after several weeks or months – or sometimes over a shorter period. So we don’t recommend you try whitelisting your home Internet connection’s IP address if you’re using ADSL or cable modem because your IP will inevitably change after a time, making this whitelisting ineffective and potentially causing whoever is assigned the IP address after you lose it to have unlimited access to your website. Only use this feature if you are sure you have a permanent IP address. Most people don’t.

    It just comes with the risk of also being locked out yourself once your IP lease runs out.

    Thanks again for your support and I hope this was helpful!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Is there a way to block user when host and IP are the same?’ is closed to new replies.