I run a Google App Engine app that has a honeypot admin page to distract from the real admin login page. A while ago I started getting repeated emails saying that someone was trying to log in on the honeypot page. I blocked the IP in question, but then I started seeing it for a new IP.
I’ve since blocked that one as well in the firewall rules section of Google App Engine:
I’ve tested the IPs in firewall rules and they are getting denied. However I’m still receiving emails saying this IP is trying to log in to the honeypot admin. To do that, they have to be able to reach the page in the first place, then submit the form, which they shouldn’t be able to do.
What else can I look at and do to resolve this?
I’ve just done some further testing by attempting to log in to the fake page myself, and it appears that all log in attempts are coming through as 172.17.0.6, so it must be an infrastructure related IP.
I am assuming that is why the IP is not blocked by the firewall. I’ve done a bit of a deep dive into the code for the honeypot site (which I’m not the author of), and it appears the IP address is obtained by
How might this be rectified?