Not blocking private IP ranges?

  • Resolved Stephen S

    (@ssuess)


    3 years ago

    There seems to be spoofed IP attacks against my website that wordfence is unable to block (because they seem to be coming from local/private IPs?) and I am not sure what to do about them. Here are the outlines:

    • All the attacks (with fortunately failed login attempts so far I think) seem to originate from 172.19.0.1, one of my local server addresses
    • All the failed login attempts are against non existent users like ‘admin’
    • If I change the domain name of my site, they seem to stop, which leads me to believe this is coming from or being triggered from the outside
    • If I look in the db in the wp_wfhits table, these attempts are clearly understood by wordfence as ‘Known malicious User-Agents’ but they are not blocked
    • Attacks are invariably against xmlrpc.php, and wp-login.php according to the wp_wfhits table
    • However, in my nginx logs, the called urls are always ‘POST /wp-cron.php?doing_wp_cron’ and ‘POST /wp-login.php’

    Any ideas how to deal with this or stop it? I can’t find anything online about this kind of attack.

Viewing 1 replies (of 1 total)
  • Thread Starter Stephen S

    (@ssuess)

    Well it took a while, but I figured out what was happening here, and the upshot is: no good deed goes unpunished.

    • When setting up my server, I enabled IPv6 because I want to be a good internet citizen and help our collective migration to IPv6
    • I chose easyengine to manage my WP sites, which uses nicely isolated docker containers for each web site
    • Easyengine sets up an nginx reverse proxy container that passes off all requests to the appropriate site/container
    • The problem with the reverse proxy setup is that if the originating request is from an IPv6 address, the proxy will change that address to a local IPv4 IP before passing it along to the container website.

    What this means is that any wordpress hacker sending commands, bad login attempts, what have you from an IPv6 address will not be blocked by any security software (such as WORDFENCE) because it sees a LOCAL IP AND THEREFORE WILL NOT BLOCK IT

    And enabling IPv6 support on the ee docker containers is far from straightforward, I have not been able to do it yet. So for now anyway I have disabled IPv6 on the server to stop these attacks. I will come back here with more info when/if I find a simple(ish) way to enable IPv6 reverse proxy on docker containers running on easyengine.

    I should note here that as a test, I set up a small server using a single apache site and no proxy and everything read and worked as expected with IPv6 addressing and blocking. But I have to manage several sites and I really like easyengine’s management tools and docker isolation (in theory), so that was why I made that choice. Hope all this helps someone else.

    • This reply was modified 3 years ago by Stephen S.
    • This reply was modified 3 years ago by Stephen S.
Viewing 1 replies (of 1 total)
  • The topic ‘Not blocking private IP ranges?’ is closed to new replies.