Page 1 of 1

Brute Force IP Detection

PostPosted: May 10th, 2011, 9:17 pm
by johnleblanc
Aloha Jason!

In certain setups (Rackspace Cloud sites, for instance), 'REMOTE_ADDR' reflects the IP address of a load balancer and the true client IP is in 'HTTP_X_FORWARDED_FOR'.

I discovered this today when a single user exceeded the failed login threshold and all users were locked out. :oops:

I'm wondering if you'd be willing to add a new filter within s2member/includes/classes/brute-force.inc.php so that users may define alternatives to $_SERVER["REMOTE_ADDR"] for user IP detection?

Mahalo!
John

Re: Brute Force IP Detection

PostPosted: May 11th, 2011, 2:12 am
by Jason Caldwell
Thanks for the excellent question.

Yea, I've seen this issue myself in the past. Most apps like s2Member ( in my opinion ), should just use $_SERVER["REMOTE_ADDR"], so that you don't have several plugins, all using a different set of techniques. In other words, ideally, you want your server to report this information inside $_SERVER["REMOTE_ADDR"], and ideally, every application you have running would use that standardized Super Global. This way all software that collects IP addresses, will use the same source ( i.e. whatever value your server places into $_SERVER["REMOTE_ADDR"] ).

Now, I'm aware that some Cloud Computing models do NOT fill this field correctly, but ( in my opinion ), the solution is not to change each individual piece of software, but rather, to implement something on your own to normalize the existing Super Global $_SERVER["REMOTE_ADDR"].

Here's how it's done on Rackspace Cloud Computing models.

1. Open your php.ini file ( or it can also be done via .htaccess ).
Using PHP.ini do this: auto_prepend_file = /path/to/remote-addr.php
Or, using .htaccess, do this: php_value auto_prepend_file /path/to/remote-addr.php

2. Create the /remote-addr.php file with this PHP code snippet.

For Rackspace, you would use something like this:
Code: Select all
<?php
$_SERVER
["REMOTE_ADDR"] = $_SERVER["HTTP_X_CLUSTER_CLIENT_IP"];
?>
* No spaces or extra lines before or after <?php ?>


Or, if your Rackspace account has SSL enabled ( i.e. you have an SSL-enabled IP, use this )
Code: Select all
<?php
$_SERVER
["REMOTE_ADDR"] = $_SERVER["HTTP_X_FORWARDED_FOR"];
?>


Reference articles:
http://cloudsites.rackspacecloud.com/in ... address%3F
http://stackoverflow.com/questions/3841 ... php-script
http://www.php.net/manual/en/ini.core.p ... epend-file

Re: Brute Force IP Detection

PostPosted: May 11th, 2011, 7:02 pm
by johnleblanc
Jason,

You are the BOMB! This totally works:
Code: Select all
$_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_X_FORWARDED_FOR"] 

In my environment, I see that "HTTP_X_FORWARDED_FOR" is set to the proper client IP regardless of whether the request arrives via http or https and "HTTP_X_CLUSTER_CLIENT_IP" is always the IP of the load balancer.

Just curious why your example sets REMOTE_ADDR to the load balancer IP over http and conditionally sets REMOTE_ADDR to the proper client IP over https?

Mahalo!
John

Re: Brute Force IP Detection

PostPosted: May 13th, 2011, 3:15 am
by Jason Caldwell
Thanks for the follow-up John. Much appreciated buddy!

Gotchya. So it seems that Rackspace handles this NOT based on whether SSL is currently in use, but based on whether or not your account has SSL enabled period ( i.e. if your IP is SSL-enabled ). So you are correct, I've updated the code sample above. Based on this article ( May 2011 ): http://cloudsites.rackspacecloud.com/in ... address%3F