1

I run a Google App Engine app that has a honeypot admin page to distract from the real admin login page. A while ago I started getting repeated emails saying that someone was trying to log in on the honeypot page. I blocked the IP in question, but then I started seeing it for a new IP.

I've since blocked that one as well in the firewall rules section of Google App Engine:

Firewall rules

I've tested the IPs in firewall rules and they are getting denied. However I'm still receiving emails saying this IP is trying to log in to the honeypot admin. To do that, they have to be able to reach the page in the first place, then submit the form, which they shouldn't be able to do.

What else can I look at and do to resolve this?

Update:

I've just done some further testing by attempting to log in to the fake page myself, and it appears that all log in attempts are coming through as 172.17.0.6, so it must be an infrastructure related IP.

I am assuming that is why the IP is not blocked by the firewall. I've done a bit of a deep dive into the code for the honeypot site (which I'm not the author of), and it appears the IP address is obtained by ip_address=self.request.META.get('REMOTE_ADDR').

How might this be rectified?

alstr
  • 63
  • 6
  • 1
    Those are RFC1918 private IP addresses. You should look first at whether your own application is trying to connect to itself. That range is also the default private IP address range for Docker containers. Do you have a Docker container generating this traffic? – Michael Hampton Jun 15 '20 at 20:46
  • I saw that when looking up the IPs but as far as I can tell they are not coming from any site related infrastructure. The site does have a custom runtime via a Dockerfile. The main reason I doubt it is internal traffic is that the emails I get telling me someone is trying to log in from this IP show the usernames that are being entered (admin, for e.g.) and it seems like an attempt to log in. – alstr Jun 15 '20 at 21:00
  • Has one of your containers been compromised? It could be someone trying to break out of it. – Michael Hampton Jun 15 '20 at 21:04
  • There is no evidence to suggest that. It seems like a very automated (i.e., bot-like) process. I get 50 or so of these messages over the course of a few minutes, usually early in the morning UK time, then nothing for hours or days. – alstr Jun 16 '20 at 08:20

1 Answers1

2

You need to get the IP is using HTTP_X_FORWARDED_FOR as is explained here. This is because the request is forwarded to the App Engine instance. I really think that you are pulling the App Engine load balancer IP or another internal IP (For security purposes, some headers are sanitized or amended by intermediate proxies before they reach the application), and for this reason you can not block this one (Client IP -> Firewall rule -> IP sanitized (That is the one that you are blocking)-> Instance) since the IP that your are getting in the method is not the real IP that is calling your app.

Another way to verify the IP is in Stackdriver Logging. Search the request and the IP is in the field IP :) I really hope that this information helps you.

Andie Vanille
  • 231
  • 1
  • 2