Firewall log is empty (but shows bytes)

  • Resolved BrianJM

    (@brianjm)


    11 years, 2 months ago

    Hello,

    If I view the firewall log in the browser, NinjaFirewall indicates the name is “firewall_2015-04” and it is 6,010 bytes in length. However, through the browser, there is nothing in the log viewer other than the following:

    DATE INCIDENT LEVEL RULE IP REQUEST

    If I FTP to the server, I can download /wp-content/nfwlog/firewall_2015-04.php to view the log and all of the contents.

    Is this a known defect?

    Thanks!

    https://ww.wp.xz.cn/plugins/ninjafirewall/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author nintechnet

    (@nintechnet)

    11 years, 2 months ago

    Hi,

    Can you send us the log (contact -at- nintechnet.com) so that we can test it? There could be a bug somewhere.
    Simply add “BrianJM” and the link to this discussion to your email message.

    Thread Starter BrianJM

    (@brianjm)

    11 years, 2 months ago

    Sent!

    Plugin Author nintechnet

    (@nintechnet)

    11 years, 2 months ago

    It comes from the fact that you have 2 IPs recorded, rather than one:

    1428572728] [0.00115] [your-domain.com] [#2083076] [0] [3] [95.128.246.44, 127.0.0.1] [403] [POST] [/wp-admin/admin-ajax.php] [File upload attempt] [revslider.zip, 19,182 bytes]

    You can see that, in that hacking attempt coming from 95.128.246.44, it also shows the localhost IP 127.0.0.1.

    Are you using the .htninja configuration file to modify the way the firewall should retrieve the users IP?

    Thread Starter BrianJM

    (@brianjm)

    11 years, 2 months ago

    Yes, but only so that HTTP_X_FORWARDED_FOR is taken into account. Apache sits behind a Varnish cache server.

    Here is the .htninja:
    if ( isset($_SERVER[‘HTTP_X_FORWARDED_FOR’]) ) {
    $_SERVER[“REMOTE_ADDR”] = $_SERVER[‘HTTP_X_FORWARDED_FOR’];
    }

    Plugin Author nintechnet

    (@nintechnet)

    11 years, 2 months ago

    That’s what I thought.
    The problem here is that it appends the localhost IP too.

    You would either need to:
    -Modify your server config so that it forwards only the client IP.
    Or:
    -Modify the .htninja script to use the first IP:

    if ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) ) {
	$ips = @explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'], 2);
	$_SERVER["REMOTE_ADDR"] = $ips[0];
}
    Thread Starter BrianJM

    (@brianjm)

    11 years, 2 months ago

    Fair enough. Long story short, SSL requests have the localhost IP appended and standard requests do not (SSL termination is completed before Varnish).

    I’ve seen NF block brute force attempts already. When it does this, and two IP addresses are provided, does NF use the combination of both IP addresses?

    In the example below, what IP address is used here to block BF attempts? “89.97.141.237”, “89.97.141.237, 127.0.0.1”, or “127.0.0.1”?

    [1428536217] [0.00142] [mydomain.com] [#6517592] [0] [3] [89.97.141.237, 127.0.0.1] [401] [POST] [/wp-login.php] [Brute-force attack detected on wp-login.php] [enabling HTTP authentication for XXmn]

    Plugin Author nintechnet

    (@nintechnet)

    11 years, 2 months ago

    The brute-force protection is not affected because it does not rely on IP.

    I will made some change to the log, so that it will show all IPs. There is no reason not to show them, after all.
    But I recommend you try to modify your .htninja as per my example, because WP and some of its plugins could have some problems to understand what is going on, if there is more that one IP.

    Thread Starter BrianJM

    (@brianjm)

    11 years, 1 month ago

    I have done as you suggested. Thanks for the help!

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Firewall log is empty (but shows bytes)’ is closed to new replies.