Support » Plugin: Wordfence Security - Firewall & Malware Scan » Not detecting IP ?

  • Resolved eminozlem

    (@eminozlem)


    I have someone spamming search queries, but cant detect their IP. I have tried all options under “How does Wordfence get IPs” but its still showing my own server IP.

    https://imgur.com/a/zgBYuIJ

    PS: I am 99.9999% sure it is someone from outside doing this, I’ve blocked them before when I could see their IPs but for some reason I cant see their IPs now, showing server IP instead

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @eminozlem,

    Thank-you for the screenshot and detail of the problems you’ve been seeing. Just to confirm the issue, if you look up your public facing IP address at: https://www.whatsmyip.org/ and re-visit Wordfence > Dashboard > Global Options > General Wordfence Options > How does Wordfence get IPs and cycle through the options again, still none of the values match it? Make sure to click SAVE if you do change this to a working option.

    You may find the “How does Wordfence get IPs” section informative on: https://www.wordfence.com/help/dashboard/options/#general-wordfence-options

    There’s also some information on there around the correct configuration if you’re on Cloudflare – as not doing this can exhibit problems that resemble what you’re seeing.

    If none of that info seems to do the trick, please send me a diagnostic report to wftest @ wordfence . com. You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

    Thanks,

    Peter.

    Thread Starter eminozlem

    (@eminozlem)

    Hi, thanks for the reply, I ve cycled through all options, the shown IP is my server’s IP not my PCs.

    I ve submitted a report by email with the username and link to this topic.

    Here is another screenshot that might give a clue : https://imgur.com/a/594jQUP

    Like I said, that listed ip, 21x.xxx.xxx.xxx is my servers IP, idk if its something about varnish, apache or something else

    Thread Starter eminozlem

    (@eminozlem)

    I just remembered, I think this website was on PHP 7.4 when it was attacked like 10 days ago, the IPs were showing correctly, I ve upgraded to PHP 8.0 since than, that might be the culprit.

    I will try switching back to PHP 7.4 see if that helps and I ll report back.

    Thread Starter eminozlem

    (@eminozlem)

    Update: downgrading to PHP 7.4 didnt change anything and the website is still under attack, someone spamming long search queries through s.php..

    I’ve tried disabling search but that also didnt help. The only solution I could come up with (since I cant see their IPs) was to block the search at htaccess level.

    https://imgur.com/6X4wGhV

    Plugin Support wfpeter

    (@wfpeter)

    Hi @eminozlem,

    I’m wondering if something your host is doing before requests come in such as load balancing or a firewall is obscuring the REMOTE_ADDR, CF-Connecting-IP, X-Real-IP or X-Forwarded-For values that would help Wordfence discover the visitor IP address. In its current configuration, blocks would affect all visitors to your site, including yourself, if the same IP is being displayed for everybody.

    I have not received any diagnostics from your username or site that would help me look into what’s going on with IP detection or incoming/outgoing requests for your site, so could you click EXPORT on Wordfence > Tools > Diagnostics which will download a .txt file. Please forward it to wftest @ wordfence . com with your username in the subject line so I can easily identify it.

    Thanks again,

    Peter.

    Thread Starter eminozlem

    (@eminozlem)

    I’ve previously submitted the report through the button, but anyway I’ve explicitly mailed you now also.

    Btw, what do you think about this kind of search query spam ? I have to stay it was pretty nasty, it was like a full on DDoS attack.
    Like I said I ve tried “disabling search” but that didnt help also, the only solution I could come up with was blocking that specific query at htaccess level.
    I’d appreciate any other suggestions

    Plugin Support wfpeter

    (@wfpeter)

    Hi @eminozlem, we didn’t receive the regular diagnostic but the exported one did come through so thank-you for providing that to us. I apologise for the delay.

    X-Real-IP is in use by the looks of things and has correctly identified an IP that is not used by your server so would usually assume it to be the IP of the visiting computer. However, from time-to-time we do see IPs reported of load balancers or similar that causes all traffic routed to a site as the same IP. This can be problematic as ALL visitors would be blocked if one visitor violates a Wordfence rule. In a case such as this where Wordfence never gets the chance to see the correct IP and displays everybody’s as the same you should contact your host to see if they can rectify this.

    Search query spam has been something we have seen before and I totally agree that it can be frustrating to see such a high volume of traffic coming in trying to target your site.

    An IP will be blocked for the duration you have specified under Wordfence > All Options > Rate Limiting Rules > How long is an IP address blocked when it breaks a rule, so you may notice the consecutive attempts have a slight delay but it’s not been long enough for these attempts to fully time out so they’re trying again once the block is lifted… only to be re-blocked again. You can increase this value to hours or even days to try stemming this flow if you’re noticing a lot of heavy activity.

    Wordfence, as an endpoint firewall cannot stop a bot or human from trying to visit your website altogether, but rather deal with the visits appropriately when it happens – which is looked like Wordfence is doing.

    Wordfence does all of the important blocking for you automatically so you don’t have to. It may be tempting to permanently block these attempts when you see them but it’s generally an ineffective strategy and takes up your time, so please consult the following links for more information:

    https://www.wordfence.com/blog/2017/11/should-permantly-block-ips/
    https://www.wordfence.com/help/blocking/#ip-address

    Hopefully this information helps you out.

    Thanks,

    Peter.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Not detecting IP ?’ is closed to new replies.