Lots of odd errors spoofed IPs and repeatedly getting blocked

  • Hi,

    I have a few questions and more than a few apparent problems. I have a couple of wordpress sites running wordfence, all on the same server. One on its own ip. Just for convenience, I’ll call the two causing most problems BCD and WPD.

    The sites are on the same vps as about 50 other sites of mine. Most are html sites, not wordpress.

    First question:
    Looking at live traffic on the bcd website, I am seeing things like:

    Mountain View, United States tried to access non-existent page https://www.domainname.it/apple-app-site-association
    22/08/2016 17:51:53 (48 minutes ago) IP: 66.249.66.50 [block] Hostname: crawl-66-249-66-50.googlebot.com
    Browser: undefined

    To be clear, the https://www.domainname.it mentioned above is an html website on the same server, but not the wordpress site that wordfence is supposed to be protecting. Now the above visitor was Googlebot, I assume, but how on earth is a wordpress security plugin telling me about visitors to totally different domains? This is coming up all over the place…

    Second Question:
    On the WPD website (and to a lesser degree on BCD) I am seeing hundreds of reported visits to non-existing pages, or attempts to access files that don’t exist (vulnerability scans?) and also blocked attempts to upload malicious files that appear to eminate from my own IP and server name. I have seen my own server blocked umpteen times in the past few days (I only just realised) for too many 404s and so on.

    I understand my server is using nginx as a reverse proxy. Armed with this limited information I tried changing the ‘how wordfence identifies ips’ options. I have tried the two suggested for sites running a proxy, but it’s hard to tell if they make any difference.

    I have tried different options, but I get something like this when I look in diagnostics:

    REMOTE_ADDR 93.56.xxx.xxx In use
    CF-Connecting-IP (not set)
    X-Real-IP (not set) Configured, but not valid
    X-Forwarded-For (not set)

    The remote IP address was the pc I was using at the time I opened diagnostics – which I suppose is correct? But nowhere do I see the IP address of the site itself. Is that normal? The ‘not valid’ message is followed by a red cross, so I’m guessing not. It’s not possible to tell what works and what doesn’t. Each time I think maybe something works, I see my site server getting blocked again, or attacks via what I assume are spoofed ip addresses.

    It’s very confusing.

    https://www.ads-software.com/plugins/wordfence/

Viewing 1 replies (of 1 total)
  • Thread Starter dawnw777

    (@dawnw777)

    I had apache rebuilt and modified to ensure correct ip addresses show up, but I have no idea if this will help, or what setting the plugin should show ref finding ips.

    It’s a shame this plugin isn’t supported.

Viewing 1 replies (of 1 total)
  • The topic ‘Lots of odd errors spoofed IPs and repeatedly getting blocked’ is closed to new replies.