New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automattic IP Ranges: offer IP list via API endpoint. #1719

Open
MarceloPedra opened this Issue Mar 7, 2015 · 16 comments

Comments

Projects
None yet
10 participants
@MarceloPedra
Copy link

MarceloPedra commented Mar 7, 2015

Hello guys. I was under a heavy xmlrpc attack, and had to block access to xmlrpc.php using the iThemes Security plugin. But to allow JetPack to work in the meantime, I allowed this IP range:

<files xmlrpc.php>
    Order allow,deny
    Deny from all
    Allow from 192.0.64.0/18
</files>

My question is: is there any other IP range that should be allowed for JetPack to work properly?

Thank you!

@georgestephanis

This comment has been minimized.

Copy link
Member

georgestephanis commented Mar 7, 2015

Our list of IP ranges do change, so I really couldn't recommend whitelisting. Nearly all of our requests do come in with the ?for=jetpack get string on the end.

Plus, you can use the add_filter( 'xmlrpc_enabled', '__return_false' ); filter to turn off xmlrpc from with WordPress safely without negatively affecting Jetpack.

@jeherve

This comment has been minimized.

Copy link
Member

jeherve commented Mar 7, 2015

Here are the IPs you can use:
http://whois.arin.net/rest/org/AUTOM-93/nets
You'll also need to add 185.64.140.0/22 and a04:fa80::/29 to the list.

Overall, we don't suggest this approach since our IP block will change over time, changing the possible IP addresses and this would prevent any of the mobile apps or other desktop clients from working.

Alternatively, Jetpack requests are routed to /xmlrpc.php?for=jetpack , so matching that string and allowing that is another option. Jetpack has protocols in place to only accept incoming requests that have been signed by our servers.

I believe iThemes Security includes an option to block XML-RPC pingback requests only. Since this is the most common vector of attack to XML-RPC today, you could block only that while still allowing other XML-RPC requests from plugins and mobile apps.
You can also use this plugin to disable XML-RPC pingback requests:
https://wordpress.org/plugins/disable-xml-rpc-pingback/

@jeherve jeherve closed this Mar 7, 2015

@Jany-M

This comment has been minimized.

Copy link

Jany-M commented Feb 15, 2017

@jeherve I'm not too good at regex, could you maybe share a snippet to effectively match the string, so I can also use that method, rather then IPs?

@jeherve

This comment has been minimized.

Copy link
Member

jeherve commented Feb 15, 2017

@Jany-M

This comment has been minimized.

Copy link

Jany-M commented Feb 16, 2017

@jeherve I think the link only helps with IP ranges, am I mistaken? I meant a snippet to match the /xmlrpc.php?for=jetpack string, or anything jetpack related (or even WP API related), you think should be allowed.

@jeherve

This comment has been minimized.

Copy link
Member

jeherve commented Feb 16, 2017

I think the link only helps with IP ranges, am I mistaken?

That's correct.

Overall, we don't recommend that approach though. You can check a possible alternative in my comment above.

@kymc

This comment has been minimized.

Copy link

kymc commented Apr 11, 2017

How about a dynamic endpoint somewhere that could be polled? With this, everyone could programatically maintain their whitelists.. 👌

@jeherve

This comment has been minimized.

Copy link
Member

jeherve commented Apr 19, 2017

I like that idea. That's not on our roadmap right now, but I'll reopen that issue so we can go back to it later.

@jeherve jeherve reopened this Apr 19, 2017

@jeherve jeherve changed the title What IP ranges should be whitelisted when blocking xmlrpc.php? Automattic IP Ranges: offer IP list via API endpoint. Apr 19, 2017

@MarceloPedra

This comment has been minimized.

Copy link

MarceloPedra commented Jun 13, 2017

Hi! Any news on this request?

@Retriev3r

This comment has been minimized.

Copy link

Retriev3r commented Sep 13, 2017

@MarceloPedra
Here are the new addresses (2017) to block all XMLRPC requests and allow only Jetpack (Wordpress.com) + also working with your website behind Cloudflare.

`

<files xmlrpc.php>
	Order deny,allow
	Deny from all
	
    # Whitelist Jetpack / Automattic CIDR IP Address Blocks (source: http://whois.arin.net/rest/org/AUTOM-93/nets )
	Allow from 192.0.64.0/18
	Allow from 185.64.140.0/22
	Allow from 76.74.255.0/25
	Allow from 76.74.248.128/25
	Allow from 198.181.116.0/24
	Allow from 64.34.206.0/24
	Allow from 2620:115:C000::/40
	Allow from 122.248.245.244
	Allow from 54.217.201.243
	Allow from 54.232.116.4

    # Whitelist Cloudflare CIDR IP Address Blocks (source: https://www.cloudflare.com/ips/ )
	Allow from 103.21.244.0/22
	Allow from 103.22.200.0/22
	Allow from 103.31.4.0/22
	Allow from 104.16.0.0/12
	Allow from 108.162.192.0/18
	Allow from 131.0.72.0/22
	Allow from 141.101.64.0/18
	Allow from 162.158.0.0/15
	Allow from 172.64.0.0/13
	Allow from 173.245.48.0/20
	Allow from 188.114.96.0/20
	Allow from 190.93.240.0/20
	Allow from 197.234.240.0/22
	Allow from 198.41.128.0/17
</files>

`

@tfpdeveloper

This comment has been minimized.

Copy link

tfpdeveloper commented Feb 8, 2018

What's the status of this issue ?

As IP range might change over time, any doable solution to block all xml-rpc requests except from automattic?

@jeherve

This comment has been minimized.

Copy link
Member

jeherve commented Feb 8, 2018

What's the status of this issue ?

We have not made any progress on this, but will update this issue when we do.

@CurtisBelt

This comment has been minimized.

Copy link

CurtisBelt commented Mar 20, 2018

Looks like the IPs have a changed a bit, just posting in case anyone was about to copy from the other list.

Only way to know for sure is to go to http://whois.arin.net/rest/org/AUTOM-93/nets
Then use a converter with the bulk range -> CIDR, such as https://www.cidrcalculator.com/

Automatic CIDR ranges as of March 20th 2018

192.0.64.0/18
198.181.116.0/22
2001:1978:1e00:3::/64
2620:115:c000::/40
64.34.206.0/24
66.155.105.128/26
69.90.253.0/24
76.74.248.128/25
76.74.255.0/25

Cloudflare offers dynamic plain text endpoints here:

https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6

+1 to Automatic getting something like this! Thanks.

@pipdig

This comment has been minimized.

Copy link

pipdig commented Mar 21, 2018

+1 A plaintext file like Cloudflare would be extremely useful for automation

@stale

This comment has been minimized.

Copy link

stale bot commented Sep 17, 2018

This issue has been marked as stale. This happened because:

  • It has been inactive in the past 6 months.
  • It hasn’t been labeled `[Pri] Blocker`, `[Pri] High`.

No further action is needed. But it's worth checking if this ticket has clear reproduction steps and it is still reproducible. Feel free to close this issue if you think it's not valid anymore — if you do, please add a brief explanation.

@stale stale bot added the [Status] Stale label Sep 17, 2018

@neonardo1

This comment has been minimized.

Copy link

neonardo1 commented Jan 4, 2019

This would be extremely beneficial to hosts trying to help their customers.

@stale stale bot removed the [Status] Stale label Jan 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment