Support

On this site: http://worksglobal.net/
Admin Tools is returning the following message which I haven't seen before:

"Admin Tools detected security exceptions from 'private network' IP addresses. This usually means that there is a CDN or reverse proxy in front of your site. If this is a live site please enable the IP Workarounds option to fix this. If, however, you are running this site on your local computer or an Intranet you can safely ignore this message."

See screen shot: http://take.ms/sNKIx

Because I am not running a CDN or a reverse proxy, I wanted to check with you guys first to see what I should do.

IP addresses in the 192.168.xxx.xxx and 10.0.xxx.xxx ranges are private, they cannot be used on internet sites. They can only be used on internal networks. So if you have these IP addresses in your log, something isn't right. It could be that someone is spoofing the from IP address in the http header, but that's fairly sophisticated stuff. More likely your host is running a CDN, load balancer or CloudFlare in front of your web server. Between the CDN and your web server, the address would be a private address since they are in the same private network. You host wouldn't necessarily advertise the fact that the extra server is there and it sould be invisibly to you.

The problem is that the private address is fixed and will trigger an auto ban pretty quickly and lock everybody out of your site. Since all traffic passes through the CDN, when it gets banned, everybody is banned. When you flip the setting for IP Workarounds, it changes the field in the http header that the from IP comes from and uses the real source IP instead of the CDN server address. This is not an attack or something to worry about, it is simply an administrative setup step.

Thank you Dale.

I did look at the logs and there was one security exception from an IP of 192.168.6.91 with a target URL to the admin.

The host says they are not running a CDN or reverse proxy or CloudFlare or load balancer.

One other unusual exception that I'm seeing is this one, which I'm not sure if it's related since it all looks foreign to me:

See screenshot: http://take.ms/2pkLN

Related, unrelated, nothing to worry about, or...?

Ah, that's a whole different can of worms. It has nothing to do with IP Workarounds. It is an attack on an older version of Joomla!, 3.4.5 and prior. Your up to date version of Joomla! is not vulnerable and Admin Tools is blocking it anyway. The attack works by spoofing the from IP address with executable code. The older versions of Joomla! could then be tricked into executing the code. We've seen a rash of these attacks over the last few weeks. It will not be successful on your site, so there's nothing to worry about.

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.