Failed Logins from Private IPs

  • Resolved GreywolfComputer

    (@greywolfcomputer)


    10 years, 5 months ago

    I manage several sites that I have implemented Wordfence and Sucuri in the battle against hacks. A few months ago, they were on a shared hosting account. After having a problem with someone getting access to the shared hosting folders through one of the sites, I moved them off to their own hosting accounts. Some are basic hosting and some are managed wordpress hosting.

    Once in a while, I would get a notice from Sucuri of a failed login from a private IP address. As of a couple days ago, I am getting several. I’ve discovered that all of the alerts containing private IPs are on the managed wordpress hosting accounts.

    How is this happening?

    https://ww.wp.xz.cn/plugins/sucuri-scanner/

Viewing 3 replies - 1 through 3 (of 3 total)
  • yorman

    (@yorman)

    10 years, 5 months ago

    I did not understand the last part, when you say that you “[…] discovered that all of the alerts containing private IPs are on the managed wordpress hosting accounts”, are you saying that the alerts are from the same origin? Can you provide more information about the issue so I can have a better understanding of what is happening in your website?

    Thread Starter GreywolfComputer

    (@greywolfcomputer)

    10 years, 5 months ago

    When I made the move from 1 shared hosting plan to their own plans, I moved some sites to regular hosting. Some I moved to Managed WordPress hosting. In looking back through the history of alert emails I received notifying me of the failed logins, I noticed that the regular hosting accounts never get the attempts from private IPs. Only the websites on managed wordpress hosting get the attempts from private IPs.

    The ones from the last few days have been on one website (It appears they gave up on the other sites) and the IPs are all varying IPs in the ranges of:

    10.x.x.x
    172.16.x.x
    192.168.x.x

    yorman

    (@yorman)

    10 years, 5 months ago

    I understand now, I believe these IP addresses are being reported incorrectly by the plugin when a reverse proxy is in the middle of the connection, there is an option in the settings page that can be used to modify that behavior but the current code contains a bug that I fixed several weeks ago but has not been publicly release, please use the development version [1] and use the form in the “IP Address Discoverer” panel to change the HTTP header that is being used to retrieve the real IPs; let me know if that helps.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Failed Logins from Private IPs’ is closed to new replies.