Different IP Apache and failed logins

  • Resolved Sabine Jakubinek

    (@sjakubinek)


    6 years, 9 months ago

    Hi!

    Most of the time I encounter differences between the IP showed in the failed login tab and the one written in the access.log by apache. Sometimes private IP addresses show up in the failed login tab like: 172.16.105.* or 192.168.1.*
    To be more specific a few days ago a login attempt from 172.16.105.* showed up and Apache said smth beginning with 83.209.*.

    I would like to know how this could happen. Thx in advance.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    6 years, 9 months ago

    Hi, just to confirm with you. Are both entries in the server and plugin logs referring to the same incident?

    Thread Starter Sabine Jakubinek

    (@sjakubinek)

    6 years, 9 months ago

    In your plugin:
    172.16.105.* 2017-07-05 10:18:46 (I removed the UserId and Username that was used)

    The Apache Log shows the following:
    83.209.xxx.xxx – – [05/Jul/2017:10:18:44 +0200] “GET /wp-login.php HTTP/1.1” 200 4069
    83.209.xxx.xxx – – [05/Jul/2017:10:18:45 +0200] “POST /wp-login.php HTTP/1.1” 200 4218

    There were only two other entries at that day on that blog. But the time between were ~8 hours before and 11 hours later. The Apache log also has no other entries than these three.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    6 years, 9 months ago

    Thank you for reporting the extra information. The plugin developers will investigate further your question.

    Kind regards

    Plugin Contributor wpsolutions

    (@wpsolutions)

    6 years, 9 months ago

    Hi @sjakubinek,
    The way in which the aiowps plugin retrieves the IP address is via the following function:

        static function get_user_ip_address()
    {
        foreach (array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key){
            if (array_key_exists($key, $_SERVER) === true){
                foreach (explode(',', $_SERVER[$key]) as $ip){
                    $userIP = trim($ip);
                    if (filter_var($userIP, FILTER_VALIDATE_IP) !== false){
                        return $userIP;
                    }
                }
            }
        }
        return ''; //if we get this far we have an invalid address - return empty string
    }

    I’m not 100% sure why for your setup you are seeing different IP addresses. It is probably due to your site hosting setup. Have you asked your host tech support guys? (show them the aiowps function so they know how this plugin tries to obtain an IP and maybe they will have an explanation)

    Thread Starter Sabine Jakubinek

    (@sjakubinek)

    6 years, 9 months ago

    Hi!

    Thx for your reply. Well, I’m the “host tech support guys” as it’s my own server 😉

    Pls correct me if I’m wrong, it’s been a long time I did PHP. Your function is looking for an IP with different methods.
    Let’s say a user is using a proxy with a fake XFF and therefore smth like 192.168.1.102. The first two results before “HTTP_X_FORWARDED_FOR” didn’t end up in a valid result. Then your foreach will return 192.168.1.102 as it is valid for “FILTER_VALIDATE_IP” and stops looking for the other keys. While AFAIK Apache is using “REMOTE_ADDR” for its logfiles.

    Regards

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Different IP Apache and failed logins’ is closed to new replies.