Automattic IP Ranges: offer IP list via API endpoint.

[MarceloPedra]

Hello guys. I was under a heavy xmlrpc attack, and had to block access to xmlrpc.php using the iThemes Security plugin. But to allow JetPack to work in the meantime, I allowed this IP range:

<files xmlrpc.php>
    Order allow,deny
    Deny from all
    Allow from 192.0.64.0/18
</files>

My question is: is there any other IP range that should be allowed for JetPack to work properly?

Thank you!

[georgestephanis]

Our list of IP ranges do change, so I really couldn't recommend whitelisting. Nearly all of our requests do come in with the ?for=jetpack get string on the end.

Plus, you can use the add_filter( 'xmlrpc_enabled', '__return_false' ); filter to turn off xmlrpc from with WordPress safely without negatively affecting Jetpack.

[jeherve]

Here are the IPs you can use:
http://whois.arin.net/rest/org/AUTOM-93/nets
You'll also need to add 185.64.140.0/22 and a04:fa80::/29 to the list.

Overall, we don't suggest this approach since our IP block will change over time, changing the possible IP addresses and this would prevent any of the mobile apps or other desktop clients from working.

Alternatively, Jetpack requests are routed to /xmlrpc.php?for=jetpack , so matching that string and allowing that is another option. Jetpack has protocols in place to only accept incoming requests that have been signed by our servers.

I believe iThemes Security includes an option to block XML-RPC pingback requests only. Since this is the most common vector of attack to XML-RPC today, you could block only that while still allowing other XML-RPC requests from plugins and mobile apps.
You can also use this plugin to disable XML-RPC pingback requests:
https://wordpress.org/plugins/disable-xml-rpc-pingback/

[Jany-M]

@jeherve I'm not too good at regex, could you maybe share a snippet to effectively match the string, so I can also use that method, rather then IPs?

[jeherve]

@Jany-M This should help: http://www.analyticsmarket.com/freetools/ipregex

[Jany-M]

@jeherve I think the link only helps with IP ranges, am I mistaken? I meant a snippet to match the /xmlrpc.php?for=jetpack string, or anything jetpack related (or even WP API related), you think should be allowed.

[jeherve]

I think the link only helps with IP ranges, am I mistaken?

That's correct.

Overall, we don't recommend that approach though. You can check a possible alternative in my comment above.

[kymc]

How about a dynamic endpoint somewhere that could be polled? With this, everyone could programatically maintain their whitelists.. 👌

[jeherve]

I like that idea. That's not on our roadmap right now, but I'll reopen that issue so we can go back to it later.

[MarceloPedra]

Hi! Any news on this request?