Support » Plugin: Shield Security: Protection with Smarter Automation » Automated IP lookups generating 404s

  • Resolved Jack C

    (@jack-c)


    I am using Shield v 7.4.1, and I noticed my nginx logs showing errors like the following (IP address and my site URL removed):

    127.0.0.1 – – [08/Jun/2019:11:44:44 +0200] “GET /lookup/xxx.xxx.xxx.xxx HTTP/1.1” 404 134 “http://geoip-api.meteor.com/lookup/xxx.xxx.xxx.xxx” “WordPress/XXX; https://xxx.xxx.xxx

    Checking the Shield “IP Lists” page, the IP address I see in the logs appears in the “IP addresses that have tripped Shield defenses” list. The timestamps also match.

    So it seems that Shield is automatically making a request to my own server, apparently to try to do a GeoIP lookup on IPs that trip defenses, but doing so to a URL which does not exist. I can’t find any settings about this in the Shield admin (though to be honest the Shield admin these days is pretty chaotic and I could be missing it).

    Is this really coming from Shield? If so, how can I disable it? It is simply generating unnecessary extra requests to my server, and filling up my logs with meaningless errors. I don’t need to look up IPs in any case.

    Thanks,
    Jack

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author One Dollar Plugin

    (@onedollarplugin)

    Hi Jack,

    geoip-api.meteor.com has nothing to do with Shield – it’s not a call that our plugin is making.

    Also, can you elaborate on the Shield admin chaos you refer to? Happy to hear some constructive feedback on it if there are areas you’d like to see improved.

    Thanks.

    Hello,

    Thanks for the reply. Very odd, I wonder where this is coming from. I have almost no other plugins except Woocommerce. The user agent string is WP and my own site URL, and the IP is the localhost, so AFAICT the request is originating on my own server. The fact that the IP shows up in Shield with matching timestamps led me to think that’s where it was coming from.

    As to the chaos – the Shield admin could use a lot of work in the UI department, IMHO. They are all small things, but good UI is all about small details. Random examples:

    – The nav icons down the right hand side of the page when browsing settings are both redundant and confusing. Are they the same as the items listed under the main settings nav drop down? Are they links? They are not the same colour as other links. Why are 2 of them different colours – maybe that’s the active item that I’m viewing? No, there are 2 of them, I can’t be viewing 2 items … confusing. Why are they there, if the same items are in the main nav? Do I need to review those as well, are there things in there I’m missing in the other 3 levels of Shield navigation?

    – The ginormous blue “Save all settings” button is styled completely differently to … well, everything else in this plugin, as well as everything else in WP. The weird positioning stuck to the bottom of the page is also non-standard in WP. It looks like a malware popup.

    – Settings -> General -> Disable Shield shows a toggle with “Enable/Disable Plugin Modules”. This is a classic UI problem – does flipping the toggle on enable or disable? It is also inconsistent with many other similar toggles throughout the admin (eg Settings -> Security Admin -> On/Off is very clearly just an enable toggle). Also, what “modules”? I thought this was a “disable shield” toggle?

    – The “go pro” link in the main WP nav on the left is in yellow; the corresponding link in Shield’s own navigation is a particular shade of green, not used anywhere else in the plugin, or in WP. Why? Consistency – in colours, fonts, layouts, etc – is basic UI good practice.

    – I count 6 different shades of green on the main dashboard. The overall effect is … chaos! Good practice is to limit the number of colours on a page, *especially* different shades of the same colour.

    As I said all very minor things, and I’m sure I sound way too anal 🙂 But the overall impression I have when using the plugin admin is that it is chaotic and messy, and these are the reasons.

    Thanks for your work, I’ve been using Shield for years.

    Jack

    In case it helps anyone else – by grepping the sources on disk I found that geoip-api.meteor.com shows up in a Woocommerce file class-wc-geolocation.php. Don’t know how that winds up making requests to my own site, but that must be the source.

    I am guessing an IP made a request which triggered Shield, so it showed up in the IP list, but WP handled the request and Woocommerce tried to do a geo-lookup or whatever it is doing, which generated the 404 in my logs.

    Jack

    Plugin Author Paul

    (@paultgoodchild)

    Thanks for your feedback on all of that, Jack. We’ll take a look at each of these and hopefully clear them up to be a bit better and less chaotic. As always, please feel free to continue to share your feedback any time… it really helps!

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.