WAF rule bypassed

enricobt · November 26, 2022, 2:38pm

Hi,
I set up a WAF rule for a domain “guidecomo.it” like fallows : if (ip.geoip.country ne “IT” and http.request.full_uri eq (https://guidecomo.it/wp-login.php)) the block; that should block the login path to any IP not originating from Italy.
Actually, this rule works fine with the exception of someone using Cloudflare’s AS13335 IPs, such as 172.70.85.25 or 141.101.98.18 or 162.158.159.131 (as you can see from the
screenshot taken from my site’s Wordfence plugin) who always by passes it.

Could anyone explain why this may be possible?
Many thanks
Enrico

imgur.com/a/B6t9Wa9

sdayman · November 26, 2022, 2:43pm

That sure looks like you don’t have your site configured to Restore Visitor IP addresses.

Wordfence has this option built in. Please read their instructions on How Wordfence Gets IPs:

Here’s how to do it in general with mod_remoteip:
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs#C5XWe97z77b3XZV

erictung · November 26, 2022, 2:52pm

My additional comments on top of what @sdayman mentioned: since you have the firewall rule in place and it works for you, then very likely those login attempts that you noticed in Wordfence were actually the requests that were not blocked by your firewall rule. It’s just that the “Restore Visitor IP addresses” option was not configured hence you see those Cloudflare IP addresses appear in your Wordfence logs.

enricobt · November 27, 2022, 10:45am

Hi Eric and @sdayman, thanks for your replay
I figured out it’s a problem with the real IP not being listed correctly in Wordfence longs. I can’t find any option that allows me to “Restore IP addresses of visitors”, at least this is not available in my free version. However, even if I find a way to see the real IP, that doesn’t solve the problem of the WAF rule being bypassed by this IP. So I have to focus on a better rule, if I can configure it right
Thanks again for your help.

cscharff · November 27, 2022, 2:33pm

You don’t know the WAF rule isn’t functioning as expected without knowing what the actual visitor IP address is.

Restarting the visitor IP address:

https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

sdayman · November 27, 2022, 3:09pm

It’s available in the free version. The instructions I linked to show where it is. It’s near the very top of the Options page: https://guidecomo.it/wp-admin/admin.php?page=WordfenceOptions

enricobt · November 27, 2022, 3:23pm

Hi,
I found it and this is the list of options that I can use in the Wordfence Panel: at the moment I’m using the 1st one.

[How does Wordfence get IPs options]

Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites. (Recommended)
Use PHP’s built in REMOTE_ADDR and don’t use anything else. Very secure if this is compatible with your site.
Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result.
Use the X-Real-IP HTTP header. Only use if you have a front-end proxy or spoofing may result.
Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.

Which one should I use then ?
Regards
Enrico

thanks
Enrico

sdayman · November 27, 2022, 3:27pm

This is what I use:

enricobt · November 27, 2022, 4:22pm

Thanks, I will try the same.
Regards
Enricvo

------ Messaggio originale ------