Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall » Wrong super administrator IP in database

  • Hi,

    You gave me the solution to fix that the plugin recognizes my IP.
    However I have this issue in Wp database, detecting Wrong super administrator IP.
    I am in Cloudflare and Ezoic and I get Ezoic IP’s.
    Sorry to say, maybe it’s not from NinjaFirewall but I can’t find any reference about this issue in Wp.org or any other place.
    Can you please point out what I have to look for?
    Thanks in advance

Viewing 13 replies - 1 through 13 (of 13 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Could you clarify this part:

    I have this issue in Wp database, detecting Wrong super administrator IP.

    Thanks.

    Thread Starter Irene

    (@arlinaite)

    Hi,

    Thanks for your answer.
    In the _registration_log table of my site database, when I create a new subfolder site, it registers the IP of the user, which is only me. Instead of showing my fixed IP, it shows different IPs all from AWS which is the network that uses Ezoic.

    Plugin Author nintechnet

    (@nintechnet)

    I checked the WordPress code and it uses REMOTE_ADDR to write to registration_log. See https://github.com/WordPress/WordPress/blob/master/wp-includes/ms-functions.php#L2046

    Is NinjaFirewall running in “WordPress WAF” or “Full WAF” mode? You can see that from the “NinjaFirewall > Dashboard”.

    Thread Starter Irene

    (@arlinaite)

    “NinjaFirewall is running in Full WAF mode”

    Thread Starter Irene

    (@arlinaite)

    Thanks for your answer.

    Today I had to disable ninja to access phpmyadmin because it was giving me an error. Should I whitelist my IP in .htninja?

    Plugin Author nintechnet

    (@nintechnet)

    I recommend to whitelist the PHPmyAdmin folder.
    You can use the .htninja script:

    <?php
    /*
     +===========================================================================================+
     | NinjaFirewall optional configuration file                                                 |
     |                                                                                           |
     | See: https://blog.nintechnet.com/ninjafirewall-wp-edition-the-htninja-configuration-file/ |
     +===========================================================================================+
    */
    
    if (strpos($_SERVER['SCRIPT_FILENAME'], '/phpmyadmin/') !== FALSE) {
       return 'ALLOW';
    }
    

    Replace phpmyadmin with the name of the folder where PHPmyAdmin is installed.

    Thread Starter Irene

    (@arlinaite)

    Thanks for your answer.

    1)
    I received the following ninja firewall mail:
    [NinjaFirewall] Alert: File Guard detection
    SERVER_NAME: mysite.com
    USER IP: 170.150.32.6
    Someone accessed a script that was modified or created less than 10 hour(s) ago:

    public_html/wp-content/plugins/onesignal-free-web-push-notifications/sdk_files/OneSignalSDKUpdaterWorker.js.php
    REQUEST_URI: /es/wp-content/plugins/onesignal-free-web-push-notifications/sdk_files/OneSignalSDKUpdaterWorker.js.php?appId=5924229a-e74b-402f-abc0-73df1e877578

    What exactly does it mean? I scanned the site with ninja scanner but didn’t reported anything about onesignal

    2)
    Sorry to ask, but what exactly means?:

    I checked the WordPress code and it uses REMOTE_ADDR to write to registration_log. See https://github.com/WordPress/WordPress/blob/master/wp-includes/ms-functions.php#L2046

    Is NinjaFirewall running in “WordPress WAF” or “Full WAF” mode? You can see that from the “NinjaFirewall > Dashboard”.

    Yes I use Full WAF

    Plugin Author nintechnet

    (@nintechnet)

    1. Did you update the “onesignal-free-web-push-notifications” plugin lately?

    2. Can you confirm that you are using the .htninja to detect the correct IP? Can you show me the code you are using?

    Thread Starter Irene

    (@arlinaite)

    Thanks for your answer

    1. Did you update the “onesignal-free-web-push-notifications” plugin lately?

    The plugin is Version 2.2.1 and was updated 4 weecks ago.

    2. Can you confirm that you are using the .htninja to detect the correct IP? Can you show me the code you are using?

    // Reverse proxy:
    if (! empty($_SERVER['HTTP_CF_CONNECTING_IP']) &&
     filter_var($_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP) ) {
       $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
    }
    Plugin Author nintechnet

    (@nintechnet)

    I can see “Fixes error for missing OneSignalSDKWorker.js file” in the plugin’s changelog, so I’ll assume it is the reason why you receive the notification.

    The code in the .htninja file is fine. When you check the firewall log, do you see the correct IP addresses?

    Thread Starter Irene

    (@arlinaite)

    The code in the .htninja file is fine. When you check the firewall log, do you see the correct IP addresses?

    Yes in the firewall log IPs are fine.

    Any thorts about this?

    I brought this issue:

    In the _registration_log table of my site database, when I create a new subfolder site, it registers the IP of the user, which is only me. Instead of showing my fixed IP, it shows different IPs all from AWS which is the network that uses Ezoic.

    Plugin Author nintechnet

    (@nintechnet)

    I can’t find a reason why the registration_log table logs the wrong IP address. The .htninja and firewall uses the right one.
    Is there any third-party application (or a command line app/tool) handling the new site registration?

    Thread Starter Irene

    (@arlinaite)

    Is there any third-party application (or a command line app/tool) handling the new site registration?

    No, it’s only me, from the network wordpress backend.

    I find that the same issue is in the apache error log, it shows Ezoic IPs.
    However the access log is showing the real user IPs.
    Now I requested support from Cloudways. Several weeks ago they told me that they whitelisted Ezoic IPs.

    I will come back with the feedback thanks for your patience.

    • This reply was modified 3 months ago by Irene.
Viewing 13 replies - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.