Blocked IP addresses in Cloudron but still able to access WordPress sites

d19dotca

I recently added a bunch of IP addresses to the block list in Cloudron a few days ago, however I noticed one of my client sites is still seeing a bunch of spam user account registrations and when I checked the IP address in the logs, it matches one that's already on the list of the block list.

IP address: 46.161.15.14

It's on the network block list from a few days ago. I double-checked it today after checking the WordPress app logs. The WordPress app logs show this:

2023-12-02T04:39:12.000Z 46.161.15.14 - - [02/Dec/2023:04:39:11 +0000] "GET /wp-login.php?action=register HTTP/1.1" 302 - "https://{domain}/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36"
2023-12-02T04:39:13.000Z 46.161.15.14 - - [02/Dec/2023:04:39:13 +0000] "GET /wp-login.php?registration=disabled HTTP/1.1" 200 8357 "https://{domain}/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36"
2023-12-02T04:43:01.000Z 46.161.15.14 - - [02/Dec/2023:04:43:00 +0000] "GET /wp-login.php?action=register HTTP/1.1" 302 - "https://{domain}/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36"
2023-12-02T04:43:02.000Z 46.161.15.14 - - [02/Dec/2023:04:43:01 +0000] "GET /wp-login.php?registration=disabled HTTP/1.1" 200 8357 "https://{domain}/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36"

How is this possible? Have I misunderstood how the network IP block list works? Or is it a defect/bug inside of Cloudron?

To be fair, even though it shows up on the network block list, maybe it's related to the issue I reported earlier the other day when adding a bunch of them?

girish

@d19dotca I think the network block list never completely applied because of the size of the ipset. That's most likely the root cause.

robi

Perhaps move those to the top of the list to see the logs stop showing them.

d19dotca

@girish said in Blocked IP addresses in Cloudron but still able to access WordPress sites:

@d19dotca I think the network block list never completely applied because of the size of the ipset. That's most likely the root cause.

I know that this feature was likely originally intended to be a manual update rather than importing a giant list and works well for that, but as threats/spam become more common place, I think we’ll need Cloudron to keep up. Is it possible to prioritize improving this feature soon for us to allow thousands of IP addresses being added?

@robi said in Blocked IP addresses in Cloudron but still able to access WordPress sites:

Perhaps move those to the top of the list to see the logs stop showing them.

That’s a good idea, I’ll test that out. Thanks Robi.

necrevistonnezr

@d19dotca said in Blocked IP addresses in Cloudron but still able to access WordPress sites:

I know that this feature was likely originally intended to be a manual update rather than importing a giant list and works well for that, but as threats/spam become more common place, I think we’ll need Cloudron to keep up. Is it possible to prioritize improving this feature soon for us to allow thousands of IP addresses being added?

Fully agree! A strong network filter / block would be another USP