11

I have a website where only a couple of people can access it, so the number of IPs logged in is very limited. Everything submitted by the 'admins' logged in is sent to a specific folder dependent of their IP Address. Again they can't access the website through a proxy or anything because there's a limited range of IPs that is allowed.

Can I trust $_SERVER['REMOTE_ADDR'] to give a valid IP so the log-system would be 100 % stable and efficient ?

Frank Farmer
  • 38,246
  • 12
  • 71
  • 89
ProgrammingEnthusiast
  • 219
  • 3
  • 13
  • 1
    I don't think you can fake REMOTE_ADDR without forging TCP packets, if it's possible at all. Unlike a lot of things in `$_SERVER`, REMOTE_ADDR isn't taken from an HTTP request header (HTTP request headers are easy to forge) – Frank Farmer Apr 29 '11 at 17:18
  • 1
    You can forge TCP packets, but you can't forge the full TCP connection handshake sequence with a spoofed IP, except the initial SYN packet. The SYN+ACK response from the server will go to the spoofed IP's system which won't know why that packet's coming in and ignore it. – Marc B Apr 29 '11 at 17:21
  • @Marc I'm not sure of the technical explanation, but I have seen this done. I had an IP block on an admin screen. One of our tech team figured out my IP (I was working from home) and bypassed it by faking his IP address. – Dan Blows Apr 30 '11 at 05:24
  • 1
    @Blowski: if you have control of the routers, you CAN spoof IP addresses, but that only works for networks you control. – Marc B Apr 30 '11 at 06:02
  • @Marc But how can he complete the three ways connection handshake even if he was in charge of the networks?The response from the server will never reach his network because the ip is a fake one.So,i still think it is impossible – hukeping May 27 '13 at 12:06
  • @david: I mean the entire network pipe between OP and the victim site. if you can control the routing on the far end, then you can spoof TCP all you want. but that's a highly unlikely circumstance – Marc B May 27 '13 at 14:37

2 Answers2

11

$_SERVER['REMOTE_ADDR'] cannot be modified by the user or via HTTP so you CAN trust it.

Jesse Bunch
  • 6,651
  • 4
  • 36
  • 59
  • 16
    It may, however, NOT be the user's real IP address. Proxies, NAT gateways, etc... will all hide the original IP and only show the IP address of the final obfuscation hop the connection came from. As such, you can't use it to uniquely identify a user, as there could potentially be hundreds or thousands of different users all going through the same proxy. – Marc B Apr 29 '11 at 17:20
  • 1
    Mark is correct. I would never use the IP address to uniquely identify any user. Since you're storing Admin actions via the user's IP, if every admin is visiting the site from the same network, they're likely to have the same IP address. That's probably something to think about in your architecture. – Jesse Bunch Apr 29 '11 at 17:22
  • With the caveat that if the web-server (process _not_ machine) is compromised, then the http-server could be patched to supply a fake address. At this stage, you have probably bigger issues to worry about, unless it's a very limited scope attack on the http-server code. – Phil Lello Apr 29 '11 at 17:30
  • As i said i allow access to specific users i know by allowing their IP Addresses to be accessed. So they if they ever use a proxy, they can't because the IP of the proxy isn't allowed to access the website(or remote administration i would say). And they're in different places so the IP Addresses are different and it can be spotted when i'm 'whitelisting' their IP.Or, making a specifc username and password for each admin is a better solution ? – ProgrammingEnthusiast Apr 29 '11 at 17:32
  • It really just depends on your needs and where you think your web app will go. If it's internal and you'll only ever be whitelisting specific IP addresses, then the method you're using is fine. However, if you ever intend to be more flexible than that, I would develop an authentication solution using a database and log items against the unique user ID. – Jesse Bunch Apr 29 '11 at 17:46
1

It's a basic rule that you should not trust the authenticity of a remote machine's apparent ip address for anything where forgery within the network could cause you real problems.

Secure systems authenticate not only the client to the server, but also the server to the client (to protect against impersonating the server to phish login credentials), typically using asymmetric cryptography.

Chris Stratton
  • 39,853
  • 6
  • 84
  • 117