Difference between Internal and external traffic in production phase - google-analytics

If you have a asp.net mvc project and you have the Google's tracking code and you want to use it for production phase and not for development phase.
What settings in Google analytics should it be? Should I apply my ip-number for internal or external traffic in filter?
What is the difference betwee n internal and external traffic from Google Analytics?
Thank you!

Google Analytics does not differentiate between "internal" and "external" traffic - these are labels commonly used in filters, but what they mean is up to you.
If you use a filter to exclude hits with your IP then the view will remove your own traffic.
If you use a filter to include hits with your IP then Google Analytics will delete all data except visits with that IP (so you want to be careful with include filters and always keep an unfiltered view).
If you use IP anonymization then filtering out a single IP will not work at all (since the last octet of an IP4 ip address will be set to "0"), you would have to exclude a whole block.

Related

Can I use Google Cloud Armor to programmatically whitelist many IPs?

Firebase Hosting did not provide enough security, but I love the features of Firebase. So I wrote a firebase function that renders dynamic content. I put it behind a google load balancer to be able to block all traffic except whitelisted IPs.
I hope to write a function that will whitelist the IP into cloud armor after a successful sign in. I hope to whitelist as many IPs as possible (1000+) and I will add a TTL to each IP as each session expires.
My goal is to strictly limit access and prevent a DDoS attack that could potentially bring the function down and accrue charges. A bearer token is not enough for my use case.
So this is a two part question, is it possible to whitelist IPs programmatically? Is there a limit to how many IPs I can whitelist?
Update:
According to https://cloud.google.com/armor/quotas, I can have 200 rules each rule containing 10 IPs, meaning 2000 IPs. So my new question, is this an standard use case for Cloud Armor?
I understand I can get a quota increase, but there are other load balancer services such as Cloudflare with much larger IP whitelist. Although, I would like to stay within Google services.
According to the official documentation and #John Hanley recommendation you should not use IP whitelists filtering for your security model:
Note that using static IP address filtering is not considered a safe
and effective means of protection. Instead, we suggest that you take a defense
in depth approach using OAuth and Certs.

What are the potential risks of not using a Web Application Firewall?

I develop and manage a small promotional/marketing website on Wordpress for a startup SaaS product. We're using Cloudflare for DNS and whatnot. Apparently the WAF has been turned on which uses a proxy and changes the user's IP address. i'm trying to use IP address to filter "internal" traffic for Google Analytics and the only way this works is with the WAF turned off. If not using the WAF is going to cause any sort of significant risk for my website, then obviously I'll need another way to do my analytics thing. Reading about what all it provides on their website doesn't make it all that clear to me how important it is for a website like this. If anyone who "gets it" had some insight to share, I'd be most appreciative. thx!
You should definitely use the WAF - it will protect your website from many malicious bots and attacks.
Wordpress sites are particularly juicy targets for attackers, for a number of reasons:
The security of a default Wordpress installation is not great.
Every Wordpress site shares common default features, such as the location of the admin login page, the admin username, and other exploitative resources.
Wordpress is extremely popular, and currently used by an estimated third of all websites on the internet.
Wordpress is used by many, many small businesses and hobbyists who do not how to secure their site properly.
Ergo, attackers can very easily scour the web for Wordpress websites that are easily hackable. Other nefarious activities are commonly carried out with ease on most Wordpress sites, such as comment spam or Denial of Service attacks.
What protection does the WAF offer?
Cloudflare and most other high quality WAFs can be configured to protect your site by automatically performing actions like:
Blocking known bad IP addresses.
Blocking bad bots which are automatically making requests to your site.
Limiting high numbers of requests from one source in a short amount of time (usually a sign of a DoS attack or scraping).
Blocking requests from particular countries or locations.
There is no reason why you wouldn't want to enable this protection if you have it available to you, and Cloudflare is the industry leader in this area.
Additionally, I would recommend you research how to better secure your Wordpress site in ways other than just the WAF - e.g. The Ultimate WordPress Security Guide
How to solve the IP address issue
Cloudflare is not changing the user's (the client) IP address, but rather acting as a proxy. As you have noticed, the IP address you're seeing is not the client's own, but one of Cloudflare's. This is crucial to how Cloudflare works to protect your site, but this is a common issue when using any kind of proxy.
To get the correct IP address when using a proxy, you need to check the X-FORWARDED-FOR header. You might see this as a string of comma-separated IP addresses, depending on how many proxies the user has gone through before reaching the site. The first one in the list is the original client IP.
e.g. Here 203.0.113.1 is the client's original IP address:
X-Forwarded-For: 203.0.113.1,198.51.100.101,198.51.100.102
Documentation: How does Cloudflare handle HTTP Request headers?
Anyway, it's good to use a function which can comprehensively check headers and give you the best match for the original client IP, regardless of whether the user is behind a proxy or not, so that you can guarantee it always works.
Here's a very popular StackOverflow question about this:
What is the most accurate way to retrieve a user's correct IP address in PHP?

Can I capture the IP address of every user that logs into my website

I have been asked to get details of every user that logs into our website. Is it possible to capture the IP address of every user that logs into our website from which I can gather details using IP lookup software.
It's already captured. Check out the web logs for whatever your webserver is.
In IIS, it's likely in C:\Windows\System32\LogFiles. Apache will normally be in /var/log.
You can tweak the specifics of what it captures, but by default IP address is always included.
Unless you are explicitly required to store the ip:s yourself, I recommend using Google Analytics, which will sort out unique/returning visitors, geographical locations and so on.

Proxy detection - to protect fraudsters who bypass geolocation controls using proxy

Say, a merchant have an asp.net with c# e-commerce website abc.com, he would like to allow Spanish customers only. But a credit card fraudster located in Greek attempts to purchase goods online with a stolen credit card having a Span billing address. System try to protect the fraud by matching up customer IP location and billing address but the fraudster can bypass this check by selecting a proxy located in Span.
So, is this possible to block the proxy user? I do not want any third party paid proxy detector.
I have following discussion regarding proxy, but non of them is match enough with me.
Proxy detection,
.NET proxy detection and http://www.maxmind.com/app/proxy (paid service)
As I guess, we may able to detect proxy customer by knowing what DNS he is using in his machine. Normally, customer should use the DNS of ISP of IP. If customer is using another public DNS, can we treat him as a proxy user?
Any idea would be appreciated.
If flash is a viable option you should be able to detect the users real ip that way.

What IP will google analytics see for internally hosted site

One of our sites that we want to use google analytics on is hosted inside our network.
We would like to exclude the administrators own traffic from the reports, but I am wandering how analytics obtains the users IP address.
If it uses the address which the analytics script is requested from (the HTTP request for the js) then it will see one of our external ips and excluding that will get rid of all traffic.
If it obtains it in javascript once the ga.js is downloaded then it will see the internal 10.x.x.x addresses and filtering out the assigned addresses will have the desired result.
Essentially my question is, will filtering the internal address work or not.
I shall set up an experiment now, but obviously it will take 1 or 2 days before I can be sure about that outcome. If it doesn't work, then I will set custom vars and filter those instead
It will see the IP that requests the __utm.gif image, then the IP of your internet gateway(s)
You can define a filter to exclude each of your IPs, or your IP range

Resources