Log real IP

Thanks, Alexander! It’s now implemented in version 0.9.5

Relevant information on the difficulties determining the real IP address.

https://security.stackexchange.com/questions/27958/brute-force-login-attempt-from-spoofed-ips

https://php.net/manual/en/reserved.variables.php

There is a danger of introducing a spoofed IP address vulnerability.

Hi Jim,

I’m not a security expert, but in our case we’re simply loggin information – we’re not using any IPs for authentication purposes. With the same success, I can simply leave the IP field as it was (REMOTE_ADDR) and add HTTP_X_REAL_IP under the DATA field, together with header information. As far as I know, header information together with User-Agent can be spoofed as well, but we don’t really worry about that either.

Unless I’m missing your point?

I am no security expert either, and true, this is simply logging information. I commented because I found a lot of poor information and bad code examples about this topic while searching for more information, and added the comment above to point to relevant information for those that want it. In the case of Simple Login Log, this change wouldn’t introduce a vulnerability.

Assuming REMOTE_ADDR is not a local IP (such as 127.0.0.1), if HTTP_X_REAL_IP and REMOTE_ADDR were different, that would be information of interest to me.

Thanks for the work in Login Log, it’s a useful plugin.

Jim,

I appreciate your input! I’ve never heard about HTTP_X_REAL_IP before, and I make quite a few security errors in my plugins, due to lack of experience. Thanks for the links as well – I have a little better understanding of this now. I made a note to myself to log both IPs – I think this would make it more useful.

Thanks again and have a great weekend!