Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automattic IP Ranges: offer IP list via API endpoint. #1719

Closed
MarceloPedra opened this issue Mar 7, 2015 · 21 comments
Closed

Automattic IP Ranges: offer IP list via API endpoint. #1719

MarceloPedra opened this issue Mar 7, 2015 · 21 comments

Comments

@MarceloPedra
Copy link

@MarceloPedra MarceloPedra commented Mar 7, 2015

Hello guys. I was under a heavy xmlrpc attack, and had to block access to xmlrpc.php using the iThemes Security plugin. But to allow JetPack to work in the meantime, I allowed this IP range:

<files xmlrpc.php>
    Order allow,deny
    Deny from all
    Allow from 192.0.64.0/18
</files>

My question is: is there any other IP range that should be allowed for JetPack to work properly?

Thank you!

@georgestephanis
Copy link
Member

@georgestephanis georgestephanis commented Mar 7, 2015

Our list of IP ranges do change, so I really couldn't recommend whitelisting. Nearly all of our requests do come in with the ?for=jetpack get string on the end.

Plus, you can use the add_filter( 'xmlrpc_enabled', '__return_false' ); filter to turn off xmlrpc from with WordPress safely without negatively affecting Jetpack.

@jeherve
Copy link
Member

@jeherve jeherve commented Mar 7, 2015

Here are the IPs you can use:
http://whois.arin.net/rest/org/AUTOM-93/nets
You'll also need to add 185.64.140.0/22 and a04:fa80::/29 to the list.

Overall, we don't suggest this approach since our IP block will change over time, changing the possible IP addresses and this would prevent any of the mobile apps or other desktop clients from working.

Alternatively, Jetpack requests are routed to /xmlrpc.php?for=jetpack , so matching that string and allowing that is another option. Jetpack has protocols in place to only accept incoming requests that have been signed by our servers.

I believe iThemes Security includes an option to block XML-RPC pingback requests only. Since this is the most common vector of attack to XML-RPC today, you could block only that while still allowing other XML-RPC requests from plugins and mobile apps.
You can also use this plugin to disable XML-RPC pingback requests:
https://wordpress.org/plugins/disable-xml-rpc-pingback/

@jeherve jeherve closed this Mar 7, 2015
@Jany-M
Copy link

@Jany-M Jany-M commented Feb 15, 2017

@jeherve I'm not too good at regex, could you maybe share a snippet to effectively match the string, so I can also use that method, rather then IPs?

@jeherve
Copy link
Member

@jeherve jeherve commented Feb 15, 2017

@Jany-M
Copy link

@Jany-M Jany-M commented Feb 16, 2017

@jeherve I think the link only helps with IP ranges, am I mistaken? I meant a snippet to match the /xmlrpc.php?for=jetpack string, or anything jetpack related (or even WP API related), you think should be allowed.

@jeherve
Copy link
Member

@jeherve jeherve commented Feb 16, 2017

I think the link only helps with IP ranges, am I mistaken?

That's correct.

Overall, we don't recommend that approach though. You can check a possible alternative in my comment above.

@kymc
Copy link

@kymc kymc commented Apr 11, 2017

How about a dynamic endpoint somewhere that could be polled? With this, everyone could programatically maintain their whitelists.. 👌

@jeherve
Copy link
Member

@jeherve jeherve commented Apr 19, 2017

I like that idea. That's not on our roadmap right now, but I'll reopen that issue so we can go back to it later.

@jeherve jeherve reopened this Apr 19, 2017
@jeherve jeherve changed the title What IP ranges should be whitelisted when blocking xmlrpc.php? Automattic IP Ranges: offer IP list via API endpoint. Apr 19, 2017
@MarceloPedra
Copy link
Author

@MarceloPedra MarceloPedra commented Jun 13, 2017

Hi! Any news on this request?

@Retriev3r
Copy link

@Retriev3r Retriev3r commented Sep 13, 2017

@MarceloPedra
Here are the new addresses (2017) to block all XMLRPC requests and allow only Jetpack (Wordpress.com) + also working with your website behind Cloudflare.

`

<files xmlrpc.php>
	Order deny,allow
	Deny from all
	
    # Whitelist Jetpack / Automattic CIDR IP Address Blocks (source: http://whois.arin.net/rest/org/AUTOM-93/nets )
	Allow from 192.0.64.0/18
	Allow from 185.64.140.0/22
	Allow from 76.74.255.0/25
	Allow from 76.74.248.128/25
	Allow from 198.181.116.0/24
	Allow from 64.34.206.0/24
	Allow from 2620:115:C000::/40
	Allow from 122.248.245.244
	Allow from 54.217.201.243
	Allow from 54.232.116.4

    # Whitelist Cloudflare CIDR IP Address Blocks (source: https://www.cloudflare.com/ips/ )
	Allow from 103.21.244.0/22
	Allow from 103.22.200.0/22
	Allow from 103.31.4.0/22
	Allow from 104.16.0.0/12
	Allow from 108.162.192.0/18
	Allow from 131.0.72.0/22
	Allow from 141.101.64.0/18
	Allow from 162.158.0.0/15
	Allow from 172.64.0.0/13
	Allow from 173.245.48.0/20
	Allow from 188.114.96.0/20
	Allow from 190.93.240.0/20
	Allow from 197.234.240.0/22
	Allow from 198.41.128.0/17
</files>

`

@tfpdeveloper
Copy link

@tfpdeveloper tfpdeveloper commented Feb 8, 2018

What's the status of this issue ?

As IP range might change over time, any doable solution to block all xml-rpc requests except from automattic?

@jeherve
Copy link
Member

@jeherve jeherve commented Feb 8, 2018

What's the status of this issue ?

We have not made any progress on this, but will update this issue when we do.

@curtisbelt
Copy link

@curtisbelt curtisbelt commented Mar 20, 2018

Looks like the IPs have a changed a bit, just posting in case anyone was about to copy from the other list.

Only way to know for sure is to go to http://whois.arin.net/rest/org/AUTOM-93/nets
Then use a converter with the bulk range -> CIDR, such as https://www.cidrcalculator.com/

Automatic CIDR ranges as of March 20th 2018

192.0.64.0/18
198.181.116.0/22
2001:1978:1e00:3::/64
2620:115:c000::/40
64.34.206.0/24
66.155.105.128/26
69.90.253.0/24
76.74.248.128/25
76.74.255.0/25

Cloudflare offers dynamic plain text endpoints here:

https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6

+1 to Automatic getting something like this! Thanks.

@pipdig
Copy link

@pipdig pipdig commented Mar 21, 2018

+1 A plaintext file like Cloudflare would be extremely useful for automation

@stale
Copy link

@stale stale bot commented Sep 17, 2018

This issue has been marked as stale. This happened because:

  • It has been inactive in the past 6 months.
  • It hasn’t been labeled `[Pri] Blocker`, `[Pri] High`.

No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.

@stale stale bot added the [Status] Stale label Sep 17, 2018
@neonardo1
Copy link

@neonardo1 neonardo1 commented Jan 4, 2019

This would be extremely beneficial to hosts trying to help their customers.

@stale stale bot removed the [Status] Stale label Jan 4, 2019
@stephengroat-dd
Copy link

@stephengroat-dd stephengroat-dd commented Mar 26, 2019

in case anyone's interested, i made a little script that pulls the ip addresses using ARIN's api: stephengroat/clacl@bb0874f

@stale
Copy link

@stale stale bot commented Sep 22, 2019

This issue has been marked as stale. This happened because:

  • It has been inactive in the past 6 months.
  • It hasn’t been labeled `[Pri] Blocker`, `[Pri] High`.

No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.

@mjangda
Copy link
Member

@mjangda mjangda commented Feb 11, 2020

This page includes details about IPs: https://jetpack.com/support/hosting-faq/

And also mentions two endpoints that can be used:

https://jetpack.com/ips-v4.json
https://jetpack.com/ips-v4.txt

The caveat noted on the page is important:

These IP addresses are subject to change. If you are writing IP-based firewall rules, you’ll need to update those rules any time the addresses change.

@mjangda mjangda closed this Feb 11, 2020
@neonardo1
Copy link

@neonardo1 neonardo1 commented Feb 12, 2020

Thank you!

@iamkingsleyf
Copy link

@iamkingsleyf iamkingsleyf commented Mar 7, 2020

This is confusing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet