HTTP_X_FORWARDED_FOR not logged into apache access...

nyoman76 · 10-31-2021 07:37 PM

Hello there,

Seems we are facing a brute force attack into our wp-login.php and xmlrpc.php in one of our vhosts, and this vhosts pointed to the LB.

we are using below Log Format configurations, but all access.log contain Google IP, not real visitor

LogLevel warn
#LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined #not working also
LogFormat "%a %l %u %t \"%r\" %>s %b %O \"%{Referer}i\" \"%{User-Agent}i\"" combined # changed to to %h not working
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/vhosts.com/access_log.%Y%m%d 86400" combined
ErrorLog  "|/usr/sbin/rotatelogs /var/log/httpd/vhosts.com/error_log.%Y%m%d 86400"

I am also tried some other Log Format configuration (and i forgot which one), i can see the real visitor IP, but it is contains 2 IP, here is sample the log (xx.yy.zz.32 is our LB IP address)

107.150.48.235, xx.yy.zz.32 - - [31/Oct/2021:06:44:47 +0800] "POST /wp-login.php HTTP/1.1" 200 7221 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36"
207.154.254.58, xx.yy.zz.32 - - [31/Oct/2021:06:45:59 +0800] "POST /wp-login.php HTTP/1.1" 200 2077 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
208.113.186.18, xx.yy.zz.32 - - [31/Oct/2021:06:46:33 +0800] "POST /wp-login.php HTTP/1.1" 200 2073 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
95.216.208.32, xx.yy.zz.32 - - [31/Oct/2021:06:46:50 +0800] "POST /wp-login.php HTTP/1.1" 200 2075 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36"
192.187.118.206, xx.yy.zz.32 - - [31/Oct/2021:06:46:57 +0800] "GET /wp-login.php HTTP/1.1" 200 6823 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0"
192.187.118.206, xx.yy.zz.32 - - [31/Oct/2021:06:47:08 +0800] "POST /wp-login.php HTTP/1.1" 200 7257 "-" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0"
59.106.213.46, xx.yy.zz.32 - - [31/Oct/2021:06:47:15 +0800] "POST /wp-login.php HTTP/1.1" 200 2074 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
51.77.223.41, xx.yy.zz.32 - - [31/Oct/2021:06:47:30 +0800] "POST /wp-login.php HTTP/1.1" 200 2072 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36"
128.199.245.21, xx.yy.zz.32 - - [31/Oct/2021:06:49:30 +0800] "POST /wp-login.php HTTP/1.1" 200 2078 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36"
35.184.158.235, xx.yy.zz.32 - - [31/Oct/2021:06:49:55 +0800] "POST /wp-login.php HTTP/1.1" 200 2072 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36"
67.205.61.254, xx.yy.zz.32 - - [31/Oct/2021:06:50:53 +0800] "POST /wp-login.php HTTP/1.1" 200 2076 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36"
194.31.143.125, xx.yy.zz.32 - - [31/Oct/2021:06:51:07 +0800] "POST /wp-login.php HTTP/1.1" 200 2074 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
157.245.95.172, xx.yy.zz.32 - - [31/Oct/2021:06:51:28 +0800] "POST /wp-login.php HTTP/1.1" 200 2071 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
157.245.110.251, xx.yy.zz.32 - - [31/Oct/2021:06:52:18 +0800] "POST /wp-login.php HTTP/1.1" 200 2101 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"
116.255.160.108, xx.yy.zz.32 - - [31/Oct/2021:06:53:36 +0800] "POST /wp-login.php HTTP/1.1" 200 2072 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36"

Is there any proper Log Format for Apache 2.4 to fix this issue, as we need install fail2ban into the instance.

Thanks

Mohamad

Hello,

This issue appears to be a known issue with Apache and not specific to GCE instances. This issue has been addressed in Serverfault. "In bugzilla, mod_remoteip fills in %a while it removes from %{X-Forwarded-For}i. So in a simple case with one trusted proxy, %a will hold the value used to see in X-Forwarded-For because of mod_remoteip"

HTTP_X_FORWARDED_FOR not logged into apache access log