Set Network Policy geolocation limitations
curtismchale opened this issue · comments
We should set NetworkPolicy limitations on who can even access my.proudcity.com
and any variation of /wp-login.php
. We should not have any access from outside the US (with an exemption for our single developer outside the US) to our login pages. Rejecting that would stop the type of credential stuffing attack we had to deal with on March 28 2024.
There are likely 2 layers with this.
Customer with Cloudflare
- set a rate limiting rule so that Cloudflare blocks requests to
/wp-login.php
,/wp-admin.php
from connecting at all if you're outside the US
Customer without Cloudflare
- we should add Network Policies to reject any requests to those locations if you're not in the US or at our single allowed IP
@kevindherman given that no one (outside of colma) should be connecting to wp-login.php
I've managed to set a new .htaccess
rule to forbid the traffic to /wp-login.php
from any location. This is currently deployed on beta
. Testing would be visiting https://beta.proudcity.com/wp-login.php and you should get a forbidden
message.
Then use my.proudcity.com to login to beta and do some content stuff. You should be able to log in without issue and edit content.
On beta you will still need to use the standard auth login information to see the site first before getting the forbidden message.
While this doesn't fully stop/block remote IPs hitting the page it does stop them accessing anything much sooner in the server life so it will reduce impacts of any attack greatly. Ideally we'd block any IP that hits this page, but as we don't pass IPs through to Kubernetes properly I can't. We hit the same IP issue with #2377
If this is good we can roll it out tomorrow.
Following @curtismchale's steps I got the block on /wp-login and then logged in from my.proudcity.com and successfully add new and edited existing content.
With the exception of Colma, seems good to go from my end.
This wp-login.php
block is activated inside the k8s deployment with the variable BLOCK_LOGIN
it can be turned off by removing that.