Support

 Since January (when I reinstalled Admin Tools on my client's reinstalled website) my Security Exceptions Log shows about 2500 (!) log entries of mostly "failed logins." All of them from only 2 IP addresses which are the same other than the last octet. Both IPs begin with 10.10.111.xx. As near as I can tell from Googling about this, this range of IPs would be from a private network, which seems strange.

I added both to my blacklist and then enabled "Disallow site access to IPs in Blacklist." Imagine my surprise when I was suddenly denied access! I'd locked myself out, which suggests that these IPs are ME (??) but my IP is a standard IP. I was able to regain access using the troubleshooting instructions (thank you for that!!) but I'm really puzzled by this.

(a) Why was I locked out when I enabled the blocking of the blacklist IPs? (The *only* IPs in the blacklist are 10.10.111.xx)
(b) Assuming I am not somehow seen by Admin Tools as these IPs, is there any way to tell where they are coming from?
(c) If I'm locking myself out by blacklisting these IPs, how can I block them without locking myself out too?

Many thanks for help with this.

In Web Application Firewall, Configure WAF, on the first tab, toggle the value of Enable IP workarounds. That will fix it.

Fixing it is easy, explaining it is a little bit tougher. You have a CDN in front of your website, like Cloudflare, etc. The IP you're seeing is the IP of the CDN, not the site visitor. The IP workarounds switches the "from" IP from the real from (CDN) to the forwarded IP.

Ooooh, okay. Thanks! The host apparently uses some kind of clustering architecture. Would that be the CDN?

I've switched it from No to Yes now, so I'll see what happens. Many thanks for your help.

FYI: that setting for Enable IP Workarounds has always been contrary. When I set it to No, it says Yes is recommended. When I set it to Yes, it says No is recommended. Is that a bug or something about how it is working with the host's server structure?

In most cases, Admin Tools can figure out the right setting, but some servers get it confused. When the recommended setting doesn't work, toggle it.

Anything sitting in front of your http server will pose the same problem, the from IP is the CDN, load balancer, etc., not the real visitor's IP address. The real address is forwarded in another field, we just need to tell Admin Tools to read that one instead.

Thanks for the explanation.

I'll mention for anyone reading this later that when I checked the Exceptions Log just now, it wanted me to confirm the changed setting on that page, so there seems to be 2 parts to changing the setting.

I see it's working now. I have my first login failure showing up in the log. Lucky me (sort of). ;-)

Thanks again, Dale. Much appreciated.

That's a new feature, I forgot. My apologies.

You're welcome!