Set Network Policy geolocation limitations

Question

Set Network Policy geolocation limitations

curtismchale opened this issue 4 months ago · comments

We should set NetworkPolicy limitations on who can even access my.proudcity.com and any variation of /wp-login.php. We should not have any access from outside the US (with an exemption for our single developer outside the US) to our login pages. Rejecting that would stop the type of credential stuffing attack we had to deal with on March 28 2024.

There are likely 2 layers with this.

Customer with Cloudflare

set a rate limiting rule so that Cloudflare blocks requests to /wp-login.php, /wp-admin.php from connecting at all if you're outside the US

Customer without Cloudflare

we should add Network Policies to reject any requests to those locations if you're not in the US or at our single allowed IP

Curtis McHale · Answer 1 · Thu Apr 04 2024 07:06:28 GMT+0800 (China Standard Time)

@kevindherman given that no one (outside of colma) should be connecting to wp-login.php I've managed to set a new .htaccess rule to forbid the traffic to /wp-login.php from any location. This is currently deployed on beta. Testing would be visiting https://beta.proudcity.com/wp-login.php and you should get a forbidden message.

Then use my.proudcity.com to login to beta and do some content stuff. You should be able to log in without issue and edit content.

On beta you will still need to use the standard auth login information to see the site first before getting the forbidden message.

While this doesn't fully stop/block remote IPs hitting the page it does stop them accessing anything much sooner in the server life so it will reduce impacts of any attack greatly. Ideally we'd block any IP that hits this page, but as we don't pass IPs through to Kubernetes properly I can't. We hit the same IP issue with #2377

If this is good we can roll it out tomorrow.

kevindherman · Answer 2 · Fri Apr 05 2024 00:28:36 GMT+0800 (China Standard Time)

Following @curtismchale's steps I got the block on /wp-login and then logged in from my.proudcity.com and successfully add new and edited existing content.

With the exception of Colma, seems good to go from my end.

Curtis McHale · Answer 3 · Fri Apr 05 2024 04:30:25 GMT+0800 (China Standard Time)

Deployed
Composer: https://github.com/proudcity/wp-proudcity/releases/tag/2024.04.04.0737
Build: https://github.com/proudcity/proud-recipes/releases/tag/2024.04.04.0737

Curtis McHale · Answer 4 · Fri Apr 05 2024 04:31:02 GMT+0800 (China Standard Time)

This wp-login.php block is activated inside the k8s deployment with the variable BLOCK_LOGIN it can be turned off by removing that.