IPv6 breaks Login Lockdown Feature

Resolved st01en
(@st01en)

10 years, 6 months ago

When I try to access my site via IPv6 I get the following error:
ERROR: Login failed because your IP address has been blocked. Please contact the administrator.

If I disable IPv6 on the computer accessing the site, I’m able to login and can verify that no IPv6 addresses appear in the Locked IP Addresses list.

Possibly related: Reaching the number of failed attempts when using IPv6 does not add an IPv6 address to the Locked IP Addresses list.

https://ww.wp.xz.cn/plugins/all-in-one-wp-security-and-firewall/

Viewing 12 replies - 1 through 12 (of 12 total)

Plugin Contributor mbrsolution
(@mbrsolution)

10 years, 6 months ago

Hi, just curios did you by any chance add an IPv6 address to the Login Whitelist tab under Brute Force settings?

Thread Starter st01en
(@st01en)

10 years, 6 months ago

No, there are no IPs (v4 or v6) there, and that feature is not turned on.
Will try it out and see what happens.

Thread Starter st01en
(@st01en)

10 years, 6 months ago

I’m not able to add an IPv6 address to the whitelist, I get this error:
2001:470:81e5::1 is not a valid ip address format.

Plugin Contributor mbrsolution
(@mbrsolution)

10 years, 6 months ago

Thank you for getting back to me. The plugin developers will investigate further your issue.

Plugin Contributor wpsolutions
(@wpsolutions)

10 years, 6 months ago

I’m not able to add an IPv6 address to the whitelist, I get this error:
2001:470:81e5::1 is not a valid ip address format.

You are running an old version of the plugin. We added IPv6 support for the whitelist feature in last release.

Thread Starter st01en
(@st01en)

10 years, 6 months ago

I only installed it 1 week ago, and it updated 3 days or so ago.
The system info tab gives me this for the AIOWPS plugin:

All In One WP Security 4.0.2 http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin

Thread Starter st01en
(@st01en)

10 years, 6 months ago

Also, (and I should have mentioned this) it appears that this only broke with the 4.0.2 update. When I first installed it, I was able to log in with IPv6.

Thread Starter st01en
(@st01en)

10 years, 5 months ago

Some more testing shows that it only breaks there are ip addresses in the block list.

Plugin Contributor wpsolutions
(@wpsolutions)

10 years, 5 months ago

Ok thanks for the info. I will investigate further and apply a fix if necessary.

Thread Starter st01en
(@st01en)

10 years, 3 months ago

Just updated to 4.0.4 and retested, same issue.
Let me know if you need more info.

Thread Starter st01en
(@st01en)

10 years ago

Still busted, looks like this is the offending bit of code (in classes/wp-security-utility-ip-address.php )
/*
* Returns the first three octets of a sanitized IP address so it can used as an IP address range
*/
static function get_sanitized_ip_range($ip)
{
global $aio_wp_security;
//$ip = AIOWPSecurity_Utility_IP::get_user_ip_address(); //Get the IP address of user
$ip_range = ”;
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP); //Sanitize the IP address
if ($valid_ip)
{
$ip_range = substr($valid_ip, 0 , strrpos ($valid_ip, “.”)); //strip last portion of address to leave an IP range
}
else
{
//Write log if the ‘REMOTE_ADDR’ contains something which is not an IP
$aio_wp_security->debug_logger->log_debug(“AIOWPSecurity_Utility_IP – Invalid IP received “.$ip,4);
}
return $ip_range;
}

This will not handle IPv6 addresses correctly.

Plugin Contributor wpsolutions
(@wpsolutions)

10 years ago

Ok thanks.
I have made some changes to the code to rectify this issue.
If you would like me to send you a beta version of the plugin to try please get in touch with me using my contact form.

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘IPv6 breaks Login Lockdown Feature’ is closed to new replies.

Tags