Spam providing from internal IP addresses as 172.17.0.1?

Support
1

Short story: I recently had a massive Spam on my discourse installation after to change a text template for the “email confirmation” that seeemed to be wrong (from an old install?) that the url had something like url/authorize_email/ , In the end I needed to apply a full forum recovery 5 days older…

Now I’m watching the logs to see if there’s more spambot attacks, but I have noticed something strange… most of the spambots seems to come from a local IP:

image
image1399×809 67.8 KB

So I’m not sure if I have something wrong in my installation

Like, does this 172.16.0… setting is correct?

image
image1530×614 52.9 KB

2

If you check user IPs they are all from that address, right?

You’re using a reverse proxy (something like nginx-proxy, perhaps), right?

You need to add something like this to your app.yml

after_bundle_exec:
  - replace:
    filename: /etc/nginx/conf.d/discourse.conf
    from: "types {"
    to: |
      set_real_ip_from 172.16.0.0/12;
      set_real_ip_from 10.0.0.0/8;
      real_ip_recursive on;
      real_ip_header X-Forwarded-For;
      types {
4 Likes
3

As we can see in the first screenshot, it seems like only some ones (looks like only from spambots)

Seems like im not using a reverse proxy, discourse is being served just from a docker instance, but no other “host” nginx process is running on that server.

4

Sorry. Once I saw the 172.17.x.x addresses I assumed that you had a reverse proxy.

So this is a standard install?

If you’ve got a single host and no load balancer/reverse proxy, then I don’t know how anyone would have such an IP address. Maybe something else is somehow forwarding traffic? Those are private addresses, so it would appear that they are coming from your local network. That suggests that the spam bot is living on your network. (Guide to Private IP Address Classes and Ranges - Ipstack)

If you don’t have legitimate users (e.g., people on your LAN) accessing Discourse from that IP range, you’re safe to block it. I’d contact someone who runs your network and let them know that these attacks are coming from those internal addresses..

1 Like
5

That is a docker/container IP, isn’t it?

6

That’s where I’ve seen it, but I think there are other uses for that range.

Or maybe the spam bot is a docker container on that machine. :person_shrugging:

1 Like
7

Well, I don’t know anything and for me docker world is one huge mystery, but I was thinking is it possibile to get container IP via SSH or something?

8

Yes, I did it many years ago but I recall to be this one. Basically: a dedicated small host machine on vultr (like those dropplets on DO) for only this purpose, installed on docker, the rest of the host/vps is not used for anything else.

Yeah thats what im thinking, some wrong configuration or, since seems like happening from spambots, something strange happening around

not other dockers on that machine

9

Have you not updated your os in those many years? Could the host machine have been hacked? Those ip addresses look like they are coming from the same machine.

10

I plan to do a reinstall in 2-3 months

it doesn’t looks like but, this can be hard to know, on the other side the spambots are not massive (but it was massive a few days ago, for some reason I got massive spam 2 hours after changing the confirmation email url link from “authorize_email” to “confirm-new-email” which seemed to be an old template contents, but in the restored backup now I still have the old way in order to avoid another attack)

11

The strange thing is that this email template seems to be duplicated in my settings, so I created another post topic for this issue: