Google Cloud IPs in settings.php

visiongaiatechnology
(@visiongaiatechnology)

1 week ago
Hello,

I am reporting a potential security concern regarding the AIOS firewall settings file (settings.php) that I believe deserves attention.

Our server monitoring system (Sentinel Hash Checker) detected an unexpected modification to the AIOS settings.php file. There was no plugin update for over 2 months — yet the file changed without any manual interaction on our part.

What we found inside the modified file:

The aiowps_googlebot_ip_ranges array was populated with a large number of IP ranges that go significantly beyond legitimate Googlebot crawler IPs. Specifically, the file now contains:
- Google Cloud infrastructure ranges (192.178.4.0/27, 34.x.x.x, etc.)
- Google Cloud IPv6 ranges (2001:4860:4801::/64 blocks)
This is a security concern because these are not Googlebot crawler IPs — they are Google Cloud data center ranges that any third party can rent for a few dollars per month. By whitelisting these ranges in the firewall, AIOS effectively creates a bypass vector: an attacker who provisions a Google Cloud server receives an IP from one of these whitelisted ranges and can bypass all AIOS firewall rules entirely.

Our questions:
1. Is AIOS making automatic API calls to update the googlebot_ip_ranges list without user notification or consent?
2. If so, from which endpoint are these ranges being pulled?
3. Is there a changelog or audit log for automatic settings.php modifications?
We consider this a serious architectural issue. Whitelisting entire cloud provider ranges — not just verified crawler IPs — significantly undermines the security posture that AIOS is supposed to provide.

We are happy to provide the full settings.php content and our server logs if needed for investigation.

Best regards,
Rene from
VisionGaiaTechnology

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Support hjogiupdraftplus
(@hjogiupdraftplus)

6 days, 5 hours ago

Hi @visiongaiatechnology.

Thanks for raising issue. I will create an internal ticket to check the issue in detail and get back to you.

According to me, it is related to Google bots only IP range list.

Regards

Plugin Support hjogiupdraftplus
(@hjogiupdraftplus)

3 days, 12 hours ago

Hi @visiongaiatechnology,

Yes, AIOS fetches and stores Googlebot IPs daily, and this is why it updates the settings.php file. It is primarily used for the “Block fake Googlebot” firewall feature.

The IP ranges are currently obtained from:
https://developers.google.com/static/search/apis/ipranges/googlebot.json

We have an internal ticket to update the URL to the newer endpoint:
https://developers.google.com/static/crawling/ipranges/common-crawlers.json

Both URLs currently contain the same IP ranges.

The settings.php file is for firewall settings, so it does not include a change as an audit log or change log.

This list of IPs relates only to Googlebots, not Google Cloud servers and should not allow any user who purchase google cloud server to bypass rules related to it.

Regards

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.