Thanks for reporting this. I will add the IP address from x-forwarder-for in the next version.
Let me know if the just released version 2.0.16 fixes this. Thanks.
I updated and logged in and now the remote address is showing both my IP address and the corporate proxy that I am currently going out of. I suppose the corporate proxy is adding the header and then the Amazon ELB is appending the IP of the corporate proxy that it sees.
This is what simple-history is logging:
_server_remote_addr 156.80.xxx.xxx, 128.229.xxx.xxx
The 156.80.xxx.xxx is my actual IP, and the 128.229.xxx.xxx is the IP address that the Amazon ELB would see (corporate outbound proxy).
Just be aware that there may be more than one IP address in the _server_remote_addr field. That is fine with me. I don’t know if a user could try to trick people by putting that header in at the browser but the last IP address in the list is sure to come from the load balancer in front of the wordpress site so it can be trusted (if you trust your load balancer). If you only want one IP address you could check for commas and take the last value in the comma delimited list.
Thanks.
I think this was working at some point but it is no longer working. I see the load balancer IP addresses in the simple history list instead of the forwarded-for IP address.
thanks for the bug report. I must have made some error during the last updates. sorry about that, will try to fix again!
@hdeadman: can you click the time of the event and see if the real ip is among the fields there? it should be called “_server_http_x_forwarded_for_0” or similar.
Yes the real IP is there, as is the remote_addr which is one of the load balancers. Thanks for looking into it.
_server_http_x_forwarded_for_0 86.60.201.162
_server_remote_addr 172.31.26.43
The failed login name is showing up as:
failed_login_username {login}
I don’t know if they are actually trying to login as {login} or what exactly is going on there.
@hdeadman: could you send me a copy of all data that comes up when you click the time? the login they try to use should be there too…
Here are samples from two failed login events. The second one is older and wordpress has since been updated to 4.2.0. I am not sure if there is an issue with username, maybe they were actually trying to login as {login}?
Anonymous user from 172.31.26.43 16 hours ago
Failed to login with username "Administrator" because no user with that username exists warning
Key Value
id 11285
logger SimpleUserLogger
level warning
date 2015-04-26 22:36:10
message Failed to login with username "{failed_login_username}" because no user with that username exists
type
initiator web_user
occasionsID fc19fe068b4a1e111ed26b846cc30560
subsequentOccasions 1
rep 1
repeated 2
occasionsIDType fc19fe068b4a1e111ed26b846cc30560
context_message_key user_unknown_login_failed
_server_http_x_forwarded_for_0 74.208.163.254
_server_remote_addr 172.31.26.43
_message_key user_unknown_login_failed
failed_login_username Administrator
server_http_user_agent
From last week (wordpress has since been updated to 4.2.0)
Anonymous user from 172.31.26.43 Apr 17, 2015 at 7:57
Failed to login with username "{login}" because no user with that username exists warning
Key Value
id 11253
logger SimpleUserLogger
level warning
date 2015-04-17 07:57:54
message Failed to login with username "{failed_login_username}" because no user with that username exists
type
initiator web_user
occasionsID fc19fe068b4a1e111ed26b846cc30560
subsequentOccasions 1
rep 1
repeated 26
occasionsIDType fc19fe068b4a1e111ed26b846cc30560
context_message_key user_unknown_login_failed
_server_http_x_forwarded_for_0 86.60.201.162
_server_remote_addr 172.31.26.43
_message_key user_unknown_login_failed
server_http_user_agent Mozilla/5.0 (Windows NT 5.1; rv:29.0) Gecko/20100101 Firefox/29.0
failed_login_username {login}
thanks for the samples.
it’s indeed a good question 🙂 and I do actually think they have tried with thas login. I checked my code and can’t find anything wierd that could cause this. I’ve seen simlar attempts on my sites on in spam email I have recieved. My guess is that some people are brute force attacking wordpress sites with a program where they have made an error and the {login} variable in their software does not get replaced by a login name from a dictionary or so.
