Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set Network Policy geolocation limitations #2534

Closed
curtismchale opened this issue Mar 28, 2024 · 4 comments
Closed

Set Network Policy geolocation limitations #2534

curtismchale opened this issue Mar 28, 2024 · 4 comments
Assignees
@curtismchale
Labels
enhancement
Milestone
Account updates

Comments

@curtismchale
Copy link
Contributor

We should set NetworkPolicy limitations on who can even access my.proudcity.com and any variation of /wp-login.php. We should not have any access from outside the US (with an exemption for our single developer outside the US) to our login pages. Rejecting that would stop the type of credential stuffing attack we had to deal with on March 28 2024.

There are likely 2 layers with this.

Customer with Cloudflare

  • set a rate limiting rule so that Cloudflare blocks requests to /wp-login.php, /wp-admin.php from connecting at all if you're outside the US

Customer without Cloudflare

  • we should add Network Policies to reject any requests to those locations if you're not in the US or at our single allowed IP
@curtismchale curtismchale added this to the Account updates milestone Mar 28, 2024
@curtismchale
Copy link
Contributor Author

@kevindherman given that no one (outside of colma) should be connecting to wp-login.php I've managed to set a new .htaccess rule to forbid the traffic to /wp-login.php from any location. This is currently deployed on beta. Testing would be visiting https://beta.proudcity.com/wp-login.php and you should get a forbidden message.

Then use my.proudcity.com to login to beta and do some content stuff. You should be able to log in without issue and edit content.

On beta you will still need to use the standard auth login information to see the site first before getting the forbidden message.

While this doesn't fully stop/block remote IPs hitting the page it does stop them accessing anything much sooner in the server life so it will reduce impacts of any attack greatly. Ideally we'd block any IP that hits this page, but as we don't pass IPs through to Kubernetes properly I can't. We hit the same IP issue with #2377

If this is good we can roll it out tomorrow.

@curtismchale curtismchale self-assigned this Apr 3, 2024
@kevindherman
Copy link

Following @curtismchale's steps I got the block on /wp-login and then logged in from my.proudcity.com and successfully add new and edited existing content.

With the exception of Colma, seems good to go from my end.

@curtismchale curtismchale mentioned this issue Apr 4, 2024
Closed
@curtismchale
Copy link
Contributor Author

Deployed
Composer: https://github.com/proudcity/wp-proudcity/releases/tag/2024.04.04.0737
Build: https://github.com/proudcity/proud-recipes/releases/tag/2024.04.04.0737

@curtismchale
Copy link
Contributor Author

This wp-login.php block is activated inside the k8s deployment with the variable BLOCK_LOGIN it can be turned off by removing that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@curtismchale curtismchale

Labels
enhancement
Projects
ProudCity project board (public)
Status: Done
Milestone
Account updates
Development

No branches or pull requests
2 participants
@curtismchale @kevindherman