New to the community? Start here

[Security] comments supported on the ip allowlist and blocklists

Are comments supported on the ip (global) allowlist and ip blocklists.

I’d like to be able to add notes regarding where those IP belongs to? The list keeps growing if outdate ips or a quick check if a certain service was added are problematic.

If yes, what is the syntax for comments?
if, no, please add this small feature request and update the info page to make it clear for all.

Cheers!

Wed, 22 Nov 2023 4:32:33

Nithin Ramdas
- Support Wizard
- 4,159 pts: Hero points 32,771 pts: Rep. points LEVEL 30
Hi Chip ,

Comments aren’t supported, the sections only support IP address formats. Providing the option to support more than one IP address can also lead to potential syntax errors and hence not supported at the moment.

I’ll also move this ticket to the Features & Feedback section so that we can get more feedback from other members who would find such a feature would be helpful.

The more feedback from other members the more it’ll be considered down the roadmap.

Kind Regards,
Nithin
Tony G
- Mr. LetsFixTheWorld
- 1,428 pts: Hero points 2,738 pts: Rep. points LEVEL 14
+1 : I’m amazed that the WP industry doesn’t have a standard for tracking settings changes with a CPT.
Anytime we make a change there should be a button to click where we document what we’re changing at the same time we change it. This info would include Who, When, How, and Why a change is made. This would allow us to audit such changes, sort and filter them, email notices about specific change types, etc.
Yeah, I know Defender has Audit Logging. It only logs what WPMUDEV has decided to log. The filtering is primitive and there are no notifications. It’s a nice step 1 of 100.

Useful additions:

– A function that can be called to create an audit log. We can then hook whatever we want in addition to the fine selection offered by default in Defender and call the function to add whatever we want to the log. We can ask plugin authors to do the same.
– A hook when all or some audit-log events are triggered so that we can decide about sending notifications – whether by email, SMS, Slack, Discord, or otherwise. DEV doesn’t need to implement any of that notification functionality – just add the hook.
– Slowly add the call to audit logging when WPMU DEV plugins perform specific actions: Changing a block/allow list for an IP/country/region. Just litter your plugins with calls to Defender to say “Hey! I just did something!”.
– Augment that with the above-mentioned notes so that we can add context into the audit-log about WHY a setting was changed.

We (I and a couple others) been working on stuff like this for a while now. Progress has been slow due to so many other priorities. I would welcome collaboration with DEV so that we can get other plugins to hook into generalized Audit Logging which can be used by any plugin, including Defender. Then WE (site managers) can decide what we want to do with notifications, and YOU (DEV) can decide if you want to provide more information about changes in your products, as requested by Chip in his OP.

Thanks.
Pawel Pela
- Ex Staff
- 1,635 pts: Hero points 14,261 pts: Rep. points LEVEL 28
Hello Tony G !

Hope you are having a good day!

Yes, perhaps a general audit log would solve this and many other similar needs, especially if combined with an ability to add a note for clarification. I’ve shared your suggestion with the Hub team for consideration as this is more related to the Hub (the OP).

Regarding Defender, we had some requests for adding something like an API to Defender’s Audit Log feature, which would allow other plugins to use it to log events specific to them. We have a task for that in our backlog, so I will add your comment there as a vote for this feature.

Best regards,
Paweł
Tony G
- Mr. LetsFixTheWorld
- 1,428 pts: Hero points 2,738 pts: Rep. points LEVEL 14
I’ve been doing site housekeeping and keep coming back to this concept of adding comments to block/allow IP addresses.

Adding comments to IP addresses can be done very simply:

1) For each IP address in the allow or block lists, extract the characters that come before the first space character:

111.111.111.111 This is a comment

2) When banning an IP, add the reason as a comment after the IP:
```
222.222.222.222 Blocked for 404s, 2023/12/30
222.222.222.223 Blocked for login failures, 2023/12/29
```
Right now, we can’t do that manually because the IP lists filter against any text that isn’t a valid IPv4 or CIDR format. If DEV allows us to modify that validation to only processs what comes before a space character, we can add comments ourselves.

Here’s something cool: Using the ‘ip_lockout_default_whitelist_ip’ hook (and ‘blacklist’?) we should already be able to intercept the IP lists in functions.php or a plugin, and remove the comments before they get to the code that uses the IPs for testing against inbound connections.

If there are hooks the are triggered when Defender adds an IP to the blocklist, we might be able to add the associated label ourselves with code.

So, DEV :
– Are hooks available that are triggered when an IP is blocked?
– Does the code that applies the action/filter include the reason for the block in the hook?
– What do you think about a simple tweak to extract the first segment from the IP before validation and processing? (Needs to be done on the Hub page too.

$ip = explode(" ", $ip)[0];

C’mon guys, I just gave you the code. This isn’t rocket science. Let’s get this one into the next Defender update. :)
Nebu John
- FLS
- 1,276 pts: Hero points 5,474 pts: Rep. points LEVEL 23
Hi Tony G ,

As Pawel mentioned, your suggestion has been communicated to our developers, who are actively working on a comprehensive audit log. This feature aims to provide detailed insights into the reasons behind IP additions to the blocklist or whitelist. While we don’t have a precise ETA for its release, rest assured that your feedback is being addressed.

Kind Regards,
Nebu John
Tony G
- Mr. LetsFixTheWorld
- 1,428 pts: Hero points 2,738 pts: Rep. points LEVEL 14
Well, “comprehensive” solutions can take years to implement. I came back here to suggest simple changes that don’t require an engineering effort.

“who are actively working on a comprehensive audit log” : That’s news that hasn’t been communicated here, and given that the suggestion was just shared a month ago, I’m doubting this is an active project yet.

I’m frustrated with this process.
Saurabh Kulkarni
- Support
- 293 pts: Hero points 340 pts: Rep. points LEVEL 5
Hello Tony G

I am sorry you feel this way about the process.

We strive our best to include features that are recommended largely by our members. With that said, I am thankful for your suggestions and active participation concerning this feature, we have already shared your insights with our dev team in this matter.

However, the final call to add any feature or tweak depends on the priority of the feature (if it is largely requested by the members) and extensive research, planning, execution and testing as we release it for all our members.

From the members’ point of view, I can understand it can be a bit time-consuming to wait for small tweaks to be added to the plugin, however, considering this process to ensure quality, and good functionality of the plugin, the process is important as it affects all the plugin users at large.

Once again, I thank you for the suggestions you’ve made and for your active participation concerning this feature. I would like to assure you that they’ve been communicated to our Dev team for further review.

Thank you for your patience.

Kind Regards,
Saurabh

How do you rate me?

Thank you for rating your experience!