Re: [mod-security-users] Modsecurity remote address issue
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2007-04-27 17:29:48
|
Russ Lavoie wrote: > The the d/ was me editing and I fat fingered it. > > The loadbalancer is 172.30.35.26 (which is not listed in any of the > logs). > > The IP 121.1.188.240 and 90.230.73.134 were supposed to be me but those > aren't even in our range here. The only place where it has my actual IP > was in the actual alert in modsecurity console under the NS_FORWARD > address which is not listed below (security and such). But I guarantee > that IP is no were in the access or error logs after the code > modification. It looks like it is pulling some random pass IP that hit > this server at one time or another and associated it with the rule that > I triggered. Hmm, the 121 address is Japan and the 90 is Sweden. Any of those you country? Do you see those IPs in the access log for another request? Your site have a transparent proxy? Or you have some plugin in your browser for anon proxy or such? What Apache version? What Platform/OS? What MPM are you using? X-Forwarded-For header is in this format: X-Forwarded-For: proxyip1, proxyip2, ..., proxyipN, realip So, NS_FORWARD is the realip value, correct? As in: NS_FORWARD: realip Thanks, -B -- Brian Rectanus Breach Security |