WordPress.org

Ready to get started?Download WordPress

Forums

Simple Login Log
[resolved] Log real IP (6 posts)

  1. Dr.Bier
    Member
    Posted 1 year ago #

    Hi,

    Here is a small code change to log real-ip instead of 127.0.0.1. You need to set X-Real-IP header in your web-server when proxying. Change line 424 to:

    'ip' => isset($_SERVER['HTTP_X_REAL_IP'])?$_SERVER['HTTP_X_REAL_IP']:$_SERVER['REMOTE_ADDR'],

    Best regards,
    Alexander

    http://wordpress.org/extend/plugins/simple-login-log/

  2. Max Chirkov
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks, Alexander! It's now implemented in version 0.9.5

  3. Jim
    Member
    Posted 1 year ago #

    Relevant information on the difficulties determining the real IP address.

    http://security.stackexchange.com/questions/27958/brute-force-login-attempt-from-spoofed-ips

    http://php.net/manual/en/reserved.variables.php

    There is a danger of introducing a spoofed IP address vulnerability.

  4. Max Chirkov
    Member
    Plugin Author

    Posted 1 year ago #

    Hi Jim,

    I'm not a security expert, but in our case we're simply loggin information - we're not using any IPs for authentication purposes. With the same success, I can simply leave the IP field as it was (REMOTE_ADDR) and add HTTP_X_REAL_IP under the DATA field, together with header information. As far as I know, header information together with User-Agent can be spoofed as well, but we don't really worry about that either.

    Unless I'm missing your point?

  5. Jim
    Member
    Posted 1 year ago #

    I am no security expert either, and true, this is simply logging information. I commented because I found a lot of poor information and bad code examples about this topic while searching for more information, and added the comment above to point to relevant information for those that want it. In the case of Simple Login Log, this change wouldn't introduce a vulnerability.

    Assuming REMOTE_ADDR is not a local IP (such as 127.0.0.1), if HTTP_X_REAL_IP and REMOTE_ADDR were different, that would be information of interest to me.

    Thanks for the work in Login Log, it's a useful plugin.

  6. Max Chirkov
    Member
    Plugin Author

    Posted 1 year ago #

    Jim,

    I appreciate your input! I've never heard about HTTP_X_REAL_IP before, and I make quite a few security errors in my plugins, due to lack of experience. Thanks for the links as well - I have a little better understanding of this now. I made a note to myself to log both IPs - I think this would make it more useful.

    Thanks again and have a great weekend!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags