Node server :remote-addr displayed local IP (192.X.X.X) when accessed from python-requests

January 13, 2022, at 5:50 PM

I have an express server that uses nginx and monitors the X-Forwarded-For header.

The node server has the following lines of code:

app.set('trust proxy', '');
app.use(morgan(':remote-addr')); // and other info too

Normally, when users make requests, independent of the client (mobile app, scripts, etc.) the IP displayed is the remote one.

Recently, I have observed that someone tried to hack into my server using python-requests/2.22.0 and the remote IP was not his IP address, it was 192.X.X.X. I tried to reproduce this myself by accessing the server from itself, but the remote address (global server IP address) was displayed.

Can you better explain to me how this works and if this is something I should be worried about?

Answer 1

They never accessed your server through Nginx; check the logs. They sent a local connection header directly to the IP:port hosting your server. This could be damaging if your security policies are not set correctly, it could leak site IPs and potentially allow an attacker to have a free path into your server without response back and no limits.

As we get scarier, the user could initiate a BGP hijack and take over the relay points sending users to your server end-points; this is one to YouTube or google more about.

As we finish off, know most hosting companies allow for private networking and do give somewhat of a firewall to use but most users assume this is secure when it actually is not! These private networks connect you to the hundreds->thousands servers in a rack or zone. So if the attacker bought a server next to yours (which would likely be a bot) they could scan the private networks for some fun-time which is against TOS but the hosts don't check this good enough or secure it.

In your case, it sounds like the server is responding to the entire internet and bots are having a go at it; Try setting your Node.js server up as localhost only, at port 443 or whatever and host that through nginx. That way anytime someone inserts your IP or domain name it is forwarded by nginx to the local resource. Someone couldn't just use the IP + Node.js port and play games. If you do this, a user may still send the header with fake IP but it won't result to IP Leak, or anything bad unless that IP had super powers on your site, which no filter on your site should say 192.168.x.x gets ADMIN mode. You can feel confident.

MySQL - How to get a list of Session Variables and their Values?

MySQL - How to get a list of Session Variables and their Values?

Does anyone know if we can get a list of custom session variables for the current session in the latest version of MySQL?

How do I include other files in PHP?

How do I include other files in PHP?

I just started creating a website at my home

What causes CSS, HTML, javascript, or React to combine margins?

What causes CSS, HTML, javascript, or React to combine margins?

I have an element with a margin at the bottom of 10pxAnd immediately under this element, I place another element with margin at the top of 10px

Show .bmp file in ImageView Android 6

Show .bmp file in ImageView Android 6

My application receives ByteArray withbmp file in it from backend