• Resolved foreclosurepedia

    (@foreclosurepedia)


    Google Project Shield is a program to protect at risk journalists, such as myself. In essence, we point the A Record to Google and they handle the rest, but it is more of mirroring than being hosted by them. This is the link to their instructions for the Firewall. NTP is enabled and Use the X-Forwarded-For HTTP header is selected. It logs the Google IP correctly as well as the one I use to log in from at home. Nothing has been entered into the Trusted Proxies box. I also run MFA for myself, as admin, only.

    Project Shield has three dedicated IP ranges:

    35.235.224.0/20
    34.96.0.0/20
    34.127.192.0/18

    From Project Shield, “When you set up your firewall rules, you can limit them to these ranges. Please make sure all three ranges are included in your firewall allow list. Other IP ranges should be denied access to your origin, by setting a catch-all firewall rule for traffic not matching the Shield ranges.”

    Is there somewhere in Wordfence I handle this? If not, could you advise me how to accomplish this in .htaccess utilizing the CIDR ranges above?

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @foreclosurepedia, thanks for your question.

    Whilst there are ways of automatically blocking IPs that attempt to access a list of pages/paths on your site, there would be no way of then opening that page back up to your IP range without also exempting the range from all other Wordfence rules; which can be dangerous.

    There are .htaccess changes that could help give the desired result, although we’re unable to support anything outside of the Wordfence plugin going forward:

    https://wordpress.org/support/article/brute-force-attacks/#limit-access-to-wp-login-php-by-ip

    https://stackoverflow.com/questions/4400154/deny-all-allow-only-one-ip-through-htaccess

    Thanks,
    Peter.

    Thread Starter foreclosurepedia

    (@foreclosurepedia)

    I appreciate such a quick reply! I am currently running Wordfence and have for some years now. So, obviously I want to deploy Project Shield in conjunction with Wordfence. My theory is that it is similar to how Cloudflare works. They are a reverse proxy, by statement and definition which is why I stated that NTP is enabled and Use the X-Forwarded-For HTTP header is selected referencing my Wordfence settings. I presume they are correct (but do not know) and still do not know if their IPs should be added into the Trusted Proxies in Wordfence.

    I will forward this to Project Shield and look forward to your reply and will post theirs, regardless. As it is a Google Project, I believe it has significant value not only to journalists such as myself, but the entirety of the internet based upon the ability to learn from the data traffic itself, much like Wordfence.

    Thread Starter foreclosurepedia

    (@foreclosurepedia)

    Below was the reply from the Google Lead Engineer. Do you have suggestions how to deploy this within Wordfence, sans the .htaccess file? Both are currently running; however, the “locking down of the IP addresses” so to speak has not begun as it still reads no firewall protection deployed on the Google side.

    “The guidance for the firewall rules is intended to protect your origin from direct attacks. The location of your origin is discoverable information, so attackers could hit it directly and bypass Shield.

    All of your legitimate traffic should now be passing through Project Shield. Therefore, you should be able to block everything that is not Shield from reaching your origin. If you also want to allow some other Wordfence IPs at their recommendation, that’s ok – blocking most of the rest of the internet is still a clear improvement to the safety of your server.

    We advise you to do this for any page that is publicly accessible – not just your login. You want to block access to any page an attacker could hit. Unfortunately we are not able to assist directly with your origin setup. I can say that a .htaccess file is a common method of doing this kind of blocking, and those articles look like the right information.

    Lastly, we do want to reassure you that you already have a lot of protection without taking this last step. This is a recommended step, but not required.”

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Google Project Shield’ is closed to new replies.