WordPress.org

Ready to get started?Download WordPress

Forums

Login Security Solution
[resolved] Server behind proxy or load balancer (9 posts)

  1. josediogenes
    Member
    Posted 2 years ago #

    Hello,

    You got a very userful plugin here, but I'm wondering if your site or blog is behind a load balancer ou a proxy how can it track the various IPs attemps to login if basically the proxy has the same IP?

    Is that any changes or options to tune it in case of wordpress installed on servers with proxy?

    ThankYou

    http://wordpress.org/extend/plugins/login-security-solution/

  2. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Jose:

    Are you asking in general, or is this a situation you actually have?

    I could populate the plugin's IP data with HTTP_X_FORWARDED_FOR if it's provided. Sound good?

    --Dan

  3. josediogenes
    Member
    Posted 2 years ago #

    Yes, this is my case, we're using a proxy and every access to the site has the same ip. Because the plugin analysis login attempts by user and not only by ip, it still is effective, but we miss the ip block/slowdown feature.

    ThankYou for your response.

  4. josediogenes
    Member
    Posted 2 years ago #

    Hello again,

    After some research I changed a bit of code within the plugin file and now it seams to be using the "real" IP and not the proxy one.

    I changed the get_IP method of your plugin's class

    protected function get_ip() {
    		if (empty($_SERVER['REMOTE_ADDR'])) {
    			return '';
    		}
    		if (empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    			return '';
    		}
    
    		//return $this->normalize_ip($_SERVER['REMOTE_ADDR']);
    		return $this->normalize_ip($_SERVER['HTTP_X_FORWARDED_FOR']);
    	}
  5. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Jose:

    I committed some changes for this into the SVN repository. It will be in release 0.22.0, whenever that comes out. For now, you can use the latest "development version" via http://downloads.wordpress.org/plugin/login-security-solution.zip. Please try it and let me know how it goes.

    --Dan

  6. Dean Taylor
    Member
    Posted 2 years ago #

    Hi Daniel,

    There are serious security implications, I would like highlight that this functionality should not be implemented as you have done.

    REMOTE_ADDR is generated by the web server based on the connection from the client. HTTP_X_FORWARDED_FOR is based on a HTTP header sent by the client.

    You can't trust input from the client, particularly input that is easily faked, such as HTTP headers. Clients can stick anything into that HTTP_X_FORWARDED_FOR header.

    Here are is a reference blog article on the topic of spoofing IP's.

    There are many plugins with generic incorrect use of HTTP_X_FORWARDED_FOR header *sigh*.
    Remember HTTP_X_FORWARDED_FOR can contain multiple IP's.

    As an alternative to this I would suggest including a section in the installation / setup instructions.
    Where the admin at their choosing can modify their wp-config.php to replace REMOTE_ADDR with the correctly extrapolated HTTP_X_FORWARDED_FOR and resetting HTTP_X_FORWARDED_FOR as required.

    Perhaps a whitelist of REMOTE_ADDR enable you to trust the value of HTTP_X_FORWARDED_FOR, again I believe this should be setup in wp-config.php.

    Cheers,
    Dean.

  7. josediogenes
    Member
    Posted 2 years ago #

    Dean,

    Thank you for the enlightenment, sure it'll help the plugin maker to adjust the code to suit both security and practical needs. Maybe he'll change the sanitize method as well to avoid such XSS vulnerabilities.

    josediogenes

  8. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Dean:

    Once again, thank you for paying close attention.

    My initial thinking was "Yeah, the HTTP_X_FORWARDED_FOR can be forged, but so can the REMOTE_ADDR." But the underlying point of your statement is that forging an HTTP header is WAY simpler than forging an IP packet or attacking via proxies.

    I'll revert the change and advise users to take appropriate measures.

    josediogenes, for the record, my plugin carefully validates all input in order to prevent XSS and SQL vulnerabilities, etc.

    Thanks,

    --Dan

  9. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    The installation instructions now include a step for administrators running behind load balancers and proxies. This will show up on the website when the next release is made. Until then, folks can view the readme file in SVN.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.