Blocked IP issue

  • Resolved magicpowers

    (@magicpowers)


    6 years, 7 months ago

    hi
    I have blocked one particular IP address in my Wordfence plugin AND in my cpanel.

    I just saw that IP address in my plugin dashboard as a blocked attempt in the past 24 hrs.

    Since that IP was blocked on the server before it was able to make any requests and before the plugin could even see it – how come Wordfence has listed it as a blocked access in my dashboard?

    This is important, as my host says there is no way the plugin was able to see that IP and block it.

    any thoughts?

    thanks

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Caleb

    (@crudhunter)

    6 years, 7 months ago

    Cpanel’s (and WHM’s) IP Blocker functionality is very simplistic.
    It does NOT interface with any Firewall software, like IpTables, APF, or CSF, or anything like that, since such features are not available to users on Shared Hosting.

    All the Cpanel/WHM functionality does is to edit your .htaccess file for you, and insert a
    deny from that-Ip-Address-Here
    line, which would make the web-server (Apache) block the access for that IP when seen.
    Cpanel actually runs through the .htaccess files for ALL domains you might be hosting in your account and inserts the same line in all of them.
    Everything after that, Cpanel is completely oblivious to. Cpanel does NOT partake in any actual blocking of that IP.

    So check your main .htaccess file in the root of the web-site..
    If there is no longer a “deny from” line with that bad IP address, then the Cpanel line at some point has been deleted from that .htaccess file, and the IP is now unblocked as far as Apache is concerned (leaving the IP to hit in WordFence).

    Your host should have explained that.. It is true, that as long as .htaccess is blocking it, WordFence would not be seeing it.
    But that requires the .htaccess line to actually be there (still). 🙂

    Note also, that all this also depends on how your WordFence “How to get IPs” is set up.
    For example, if you are behind a caching- or reverse-proxy service, WordFence would be getting it’s IP addresses from the proxy headers to get at the true IP address, and those are what you see in it’s logs.

    The .htaccess Deny line, used by Cpanel’s IP blocker, ONLY works on ips found in REMOTE_ADDR, which in the case of a caching front-end would be false. REMOTE_ADDR would for all accesses be pointing to the caching server:-) The bad IP would never be seen.

    IN YOUR CASE, they ARE running a Nginx caching proxy server in front of you. Your site headers show that. Depending on their setup and other local changes, that could have left any and all “Denies” in .htaccess/Cpanel totally non-functional. Your host should also have told you that.

    In summation.. That IPs are getting as far inside your walls as WordFence has everything to do with your hosting setup, and nothing to do with WordFence. 🙂

    Caleb

    (@crudhunter)

    6 years, 7 months ago

    FYI, These are your site’s response headers, which show the Nginx reverse-proxy caching server being active:

    accept-ranges:bytes
cache-control:max-age=2592000
content-encoding:gzip
content-length:1276
content-type:text/css
date:Mon, 11 Sep 2017 12:03:45 GMT
etag:"e5f-55883754985d8-gzip"
expires:Wed, 11 Oct 2017 12:03:45 GMT
host-header:192fc2e7e50945beb8231a492d6a8024
last-modified:Wed, 06 Sep 2017 11:15:15 GMT
server:nginx
status:200
vary:Accept-Encoding
x-proxy-cache:MISS
    Thread Starter magicpowers

    (@magicpowers)

    6 years, 7 months ago

    Hi Caleb

    thank you for your reply.

    I much appreciate the great level of detail, however as I’m not a developer and my back-end knowledge of site hosting, coding, etc is very limited, I can take it only as is and pass on to my host asking for explanation.

    I do understand the issue however, and will discuss it further with the host. If your analysis is correct, I would be very surprised I must say, as my host is one of the best out there (if not THE best), recommended by WordPress, with many years of experience and a high level of technical knoweldge. This sort of loophole in website security would be very serious if they guarantee that an IP is blocked while actually it isn’t.

    So I will check. I appreciate your reply and of course I’m glad that I do have Wordfence. 🙂

    by the way, did you get all those technical details from my site just by inspecting elements? I would prefer not to post them on a public forum… there is too much information.

    could you please delete that second post, thanks. 🙂

    Caleb

    (@crudhunter)

    6 years, 7 months ago

    Yes, I got the technical detail from your site, but there is no security related information in those posted details at all. Just caching headers.
    First off, it is what anyone in the whole world can see every time they visit your site (which you put in the incident), and secondly those details are the same for every site in the world with a similar setup. Nothing extraordinary or dangerous exposed at all. Just random content/caching headers and tags, which change over time and per page.

    Cpanel’s editing of .htaccess not working when they use a reverse-proxy is something the hosting company would either have to fix by replacing it’s scripts to add different lines to Apache’s .htaccess file, make changes to Nginx, or they should simply remove that option from their Cpanel for users running behind Nginx control. To lessen the confusion.
    .htaccess files have no impact on the fronting Nginx server. ‘.htaccess’ files only mean something to Apache, which I assume is still running your site (behind the Nginx front).

    At any rate, the hosting company should probably better educate their support people on the configurations they actually use locally and their potential side-impacts on things such as Cpanel and on where plugins like WordFence have to find IP addresses to not simply block the reverse-proxy server every 2 seconds.

    Of course, I am here merely making qualified guesses on their actual, technical configuration. Only the hosting company can know exactly how they have set up their Nginx front to run interference in front of you. 🙂

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Blocked IP issue’ is closed to new replies.