Forum Replies Created

Viewing 2 replies - 76 through 77 (of 77 total)
  • I looked at the BWPS code to see how it is getting the IP address of the visitor. This is what I found…

    //Get the forwarded IP if it exists
    if ( array_key_exists( 'X-Forwarded-For', $headers ) ) {
    
    	$theIP = $headers['X-Forwarded-For'];
    
    } else {
    
    	$theIP = $_SERVER['REMOTE_ADDR'];
    
    }

    As I read this, if the attacker is using a proxy server, BWPS is ignoring that and using the actual user’s IP address.

    I don’t know about your logging software, maybe it also gives the user’s actual IP address instead of the proxy IP address (for logging access, that makes sense to me).

    Maybe there is a way to configure Apache to use “X-Forwarded-For” headers when evaluating “deny from” directives in .htaccess. More research is required…

    But, I don’t think it would be wise for BWPS (or anything else) to start banning proxy server IP addresses. That could cause unintended DOS for legitimate users behind a proxy.

    I’m seeing something like this too. But it goes like this…

    Attacker attacks site.
    BWPS bans IP address of attacker.
    Attacker attacks again after ban timeout.
    BWPS adds IP address of attacker to .htaccess.
    After ban timeout, attacker can attack again.

    I think what might be happening (I don’t have enough access to the server to test this) is that the attacker is using a proxy server. BWPS is banning the client’s real IP address, but what Apache sees as the connection IP address is the proxy IP address, so the connection isn’t dropped.

    Since BWPS seems to use the real client IP address, I worked around this by manually editing the BWPS lock-out in mySQL and made the timeout of the database to be 20 years in the future.

Viewing 2 replies - 76 through 77 (of 77 total)