I'm using http://ip-api.com/csv/ in a Google worksheet formula to pull up geolocation data about IP addresses listed in the Activity Log. The result includes a bunch of info about the IP address (e.g., country, city, state, zip code, longitude and latitude, etc.), though the city/state is usually enough. I've compared the results of ip-api.com to other sites that show geolocation info about an IP and it seems to be accurate.
Upon looking at a recent Activity Report for all of 2017 I see that one PC appears in the report as being frequently accessed from a few local IP addresses, when in reality the user of that PC rarely if ever uses GoToMyPC while in town. Yet the IP address for this user's second home in a distant city appears in the report only 4 times in all of 2017, even though he uses GotomyPC extensively while there.
I figured that if Google uses IP Location as a means of detecting "unauthorized activity" IP geolocation must have some validity, but the geolocation results for this particular PC are the opposite of what I would expect.
How reliable is the "Client IP" shown in the Access Activity report? (note that the aforementioned user runs GotomyPC on a desktop PC in his second home, connected to the Internet via Time Warner Cable, so we're not dealing with cell phone or tablet access.)
How reliable is geolocation information one can get about an IP address?
I had a minor heart attack this morning when by happenstance I checked the "session performance" log for a station in GoToMyPC and noticed connections from an IP address I was not familiar with. My initial concern was that someone had gained access to both my GoToMyPC account and station logins and was spending quality time probing my clients. But a random checking of the logs suggested that the access times were consistent with when legitimate connections would have occurred. My second fear was that my network had been hacked and all my IP traffic was being re-routed through a sniffer proxy. But further investigation verified that was not the case.
Investigating the mystery IP address, I found that it belonged to Cloudflare, which I knew to be a backbone provider connected to LogMeIn. That made me feel a little better. The interesting thing was that the geolocation on the address showed it to be at the Colorado State capitol in Denver! (http://geoiplookup.net/ip/220.127.116.11) Is the State of Colorado spying on me? Or does Cloudflare have a switch facility in the basement? Weird, and still not comforting.
Through a little more experimenting, I discovered the following: If you log into GoToMyPC through the standard website, your actual public IP address is what gets recorded as it should. However, I have shortcuts created for the systems I access on a regular basis. When I access client systems via the shortcuts (bypassing the web interface) then it records 18.104.22.168 in the log.
Okay, I feel a bit better now, except that I occasionally rely upon the performance log to see who has logged in where. If it's going to log this address instead of the actual one, then this function becomes nearly useless.
I'd feel better if I could get a definitive answer on why this is happening, and if it’s going to be rectified.
I apologize for the wait. Our product team are looking into this, what they have found so far is that connections made using a desktop shortcut are being reported with Cloudflare IP addresses. If you sign into the account on the website or use a mobile app to initiate the session, the correct client IP address will be reported. The team is looking into a fix.
I notice no change in this behavior. Am I to assume that there's no interest in this issue? I can't imagine that I am the only one who uses shortcuts who also uses the logs to monitor access.
I am finding this issue in activity reports also. I have an employee showing their home ISP when they first login, but Cloudflare on subsequent logins in a day.