Blocked from website from different IP

[InDiCa83]

Hello,

Went to check on 1 of my websites this morning to find i was blocked from it on both frontend and backend with "TOO MANY LOGIN ATTEMPTS from 10.10.111.4" This is the default message i have set when too many attempts are made and the IP is blocked permanently.

My IP is completely different from this and added to the white list yet somehow the plugin thinks the blocked IP address is mine, this was tested on multiple computers with the same result. If i kept refreshing or reloading my browser the website would eventually load but again block me after a few minutes.

I have had to disable the plugin by deleting the bfstop.php file via ftp so i could get back onto the website, in the administration area of bfstop there are multiple blocked entries from the same IP as shown in the image attached.

Any ideas what could be causing this issue?

Kind Regards. Nick.

[codeling]

Is your server running behind some kind of load balancing or (reverse) proxy? The current version (1.3.0) does not support this yet, in the current git master there was some support added (https://github.com/codeling/bfstop/issues/125).

[InDiCa83]

No load balancing and the server IP starts with 77.xx.xx.xx

When the site was blocking me i did check my external IP, i have a static IP and was instantly able to see that my external IP was showing correctly, and my IP is in the whitelist.

I have 3 websites using the plugin all on the same host and only this 1 site appears to be affected, i have checked from multiple computers on the same network but not from another network yet.

I was using a VPN this morning but this was turned off before i checked the website and would this actually affect other computers on my network?

I will reinstall the deleted .php file and try again.

EDIT**

I have just reinstalled the plugin files and the website instantly blocked me from both my home network and my mobile network but from different IP's

TOO MANY LOGIN ATTEMPTS Your IP is: 10.10.111.5 (Home Network) TOO MANY LOGIN ATTEMPTS Your IP is: 10.10.111.6 (Mobile Network)

I have just noticed that these are private IP addresses that are blocked, could this mean that someone has tried to log into my website from within the websites server network? or is it possible to spoof private IP addresses and use them for brute force attacks?

[codeling]

bfstop doesn't generally disable site access, but only blocks the IP addresses it identified as responsible for the failed logings; so if you are getting this message when accessing your site, then this means that you are currently accessing the site from what bfstop thinks is the address you show (or via a proxy with that address, or the server is behind a reverse proxy with that address).

Could you test what a php script prints for $_SERVER['REMOTE_ADDR'] on the server in question? (i.e., create a php file with content <?php echo($_SERVER['REMOTE_ADDR']); , put in on your server, access it via your browser, and check what it prints).

[InDiCa83]

Ran the script and i get result of:

10.10.111.4

On every refresh the last number changes from 2 - 6

[codeling]

That means, the systems actually accessing the server where bfstop is installed, have those 10.10.111.2-6 IP addresses. All you have to figure out is what those systems are ;). I still suspect a reverse proxy or load balancer here. You could try applying the change from here: https://github.com/codeling/bfstop/commit/f3b476888e461c0d4b33f26135d35d894410a72a and see if it makes any difference.

[InDiCa83]

I have looked through all the options provided by my host... load balancing is disabled but strangely another optioned labelled "Boost" is enabled and upon further reading it states it uses Intelligent Load Balancing, so i am now confident this is the problem, i will try the update you linked to and let you know of the results.

Thanks.

[codeling]

There is a new release available, it should address this issue: https://github.com/codeling/bfstop/releases/tag/1.4.1

Please comment here or open a new issue if you should still encounter any problems with that new version!