WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Blocked Login E-Mail Received, But IP Not Blocked (2 posts)

  1. kurt2439
    Member
    Posted 1 year ago #

    I have tested the wordfence plugin on this site and it does work, locking me out of the admin login page and then showing my IP in the blocked connection page. However, last night we had an IP attempt to login something like 4k times in a half hour and we received a massive amount of e-mails from WordFence about blocking their IP from login, but it didn't actually block the IP or add it to the blocked IPs from logins list. I eventually blocked it at our edge router.

    Can I be helpful in helping debug this situation? Perhaps there is a string that they are able to use that WordFence is not handling? From what I can see, it doesn't look like WordFence parsed the IP correctly since from the logs I see this:

    177.99.206.50 - - [09/Sep/2012:20:06:31 -0400] "POST /wp-login.php HTTP/1.0" 200 1354 "http://www.oursite.coop/wp-login.php" "Mozilla/5.0 (Windows; U; Win
    dows NT 5.1; ru; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"

    And the messages from WordFence (the time appears to be off by 4 hours -- the date/time of the e-mail sent shows it matches up with the alerts). I don't see any instance of this IP below in the access logs:

    This alert was generated by Wordfence on "Our Site at Monday 10th of September 2012 at 12:06:10 AM

    A user with IP address 10.6.11.135 has been locked out from the signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 4 User IP: 10.6.11.135

    http://wordpress.org/extend/plugins/wordfence/

  2. Wordfence
    Member
    Plugin Author

    Posted 1 year ago #

    Thanks for the detailed report. The data you've included is helpful.

    The attacker IP is 177.99.206.50

    But the IP that your web server is reporting to Wordfence is:

    10.6.11.135

    This IP address is an internal address (it conforms to the RFC1918 address range). This means that it's probably a firewall or load sharing device that is in front of your web server.

    Wordfence is actually built to handle this kind of configuration because it looks at HTTP headers in the request that your firewall adds and attempts to get the external IP from that. But it appears that in your case, those headers are either not present or are different.

    We look at the following HTTP headers:

    X-Forwarded-For

    and

    X-Real-IP

    If your firewall or loadsharer has other headers we can examine you're welcome to let me know about them. I'd also recommend you post this on our own forums at http://www.wordfence.com/forums/ where our community is very active and may have seen this issue before and could possibly help you.

    Regards,

    Mark.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.