Firewall AutoPilot Mode New Whitelist Rule(s)

[Chris Moon]

Ed I’m repeatedly seeing this error message on my sites after updating to v9.8,

“[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 07/11/2014 – 18:34]
Whitelist Rule:”

I clear the error log, turn off logging turn off ARQ and backup all file groups but the error pops up again.. The manual plugin firewall  whitelist has been executed several times. Any ideas?

[AITpro Admin]

The Security Log logs errors, blocked hacking/spamming attempts, procedural things (WordPress Automatic updates, AutoPilot Mode whitelist rules) and is a primary troubleshooting tool in BPS.  In other words, it is a multi-purpose tool.  There is no need to clear the Security Log.  The Security Log is just like your Apache Server Log.  It just logs what is going on on your website.  Plugin Firewall AutoPilot Mode is specifically for the Plugin Firewall and does not affect any other BPS Pro security features, such as AutoRestore.

Ok now let’s figure out what the issue/problem is.  Post these 3 things:

1.  Go to the Plugin Firewall Whitelist Text area and post all of your Plugin Firewall whitelist rules.
2. Go the htaccess File Editor tab, click on the Your Current Plugins htaccess File tab and copy and paste the entire contents in that text editing window.
3. Post your BPS Pro Security Log file contents.

[Chris Moon]

All 14 of my sites all displaying the Security log alert here’s the info from a random site:

[data has been copied and is under review]

[AITpro Admin]

Logged into the website and the issue/problem has been fixed.  I am not 100% sure yet what the cause was, but I will try to reproduce the issue/problem on a testing site to isolate exactly what it might be.  Here are the steps I did to get things working.

1. I deleted your existing Plugin Firewall whitelist rules below from the Plugin Firewall Whitelist Text area text box, clicked the Save Whitelist Options button and activated the Plugin Firewall.

/revslider/rs-plugin/css/captions.php, /mainwp-child/js/tracker.js, /revslider/rs-plugin/js/jquery.themepunch.plugins.min.js, /revslider/rs-plugin/js/jquery.themepunch.revolution.min.js, /akismet/_inc/form.js

2.  I set AutoPilot Mode to 1 minute and then went to the http://boomproxy.com/ website and clicked around your website.
3. The Plugin Firewall AutoPilot Mode automatically detected, created and logged these whitelist rules.

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 09/11/2014 - 03:39]
Whitelist Rule: /revslider/rs-plugin/css/captions.php
Whitelist Rule: /revslider/rs-plugin/js/jquery.themepunch.plugins.min.js
Whitelist Rule: /revslider/rs-plugin/js/jquery.themepunch.revolution.min.js

4. I added this additional whitelist rule /mainwp-child/js/tracker.js that you had before. Not sure if it is needed or not, but since you previously had that whitelist rule then I added it back to the Plugin Firewall Whitelist text area and did all the manual Plugin Firewall steps: Save and activate the Plugin Firewall again.
5. I set the AutoPilot Mode Cron Check frequency to 15 minutes.

The only descrepancy I can see is that this whitelist rule is not valid /akismet/_inc/form.js since this file is not a frontloading plugin script. Not really sure why that was there. I will know more after I try to reproduce the issue/problem on a testing site.

[Chris Moon]

Hi Ed the security log alerts are still appearing on the site

[AITpro Admin]

Hmm maybe the problem has something to do with your Browser or something you have installed in your Browser.  Are you using a Proxy or anything else like that in your Browser?  Everything was working perfectly for me when I was logged into your website.  I will log back in and check things again.

[AITpro Admin]

I logged into your site and everything is fine.  I had a feeling that you were not exactly sure how the Security Log works from your first comment about “clearing” the Security Log file.

The Security Log file is a plain static text log file that logs events in descending order by date.  The Security Log file does not need to be cleared and is just a time history of logged events.  These are the last 2 things that were logged in your Security Log file.  On 11-9-2014 @ 3:39 is the AutoPilot Mode log entry that was made during my testing and confirms that everything is working correctly.  The next and ONLY new log entry since that time is a blocked bot, which should be blocked.  All the log entries before these 2 log entries are OLD log entries.   If you look at the time stamps of log entries then that is when the log entry was made.  You do not need to clear old log entries and can just leave them in your Security Log file.  They are just a chronological static history of logged events.

[Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 09/11/2014 - 03:39]
Whitelist Rule: /revslider/rs-plugin/css/captions.php
Whitelist Rule: /revslider/rs-plugin/js/jquery.themepunch.plugins.min.js
Whitelist Rule: /revslider/rs-plugin/js/jquery.themepunch.revolution.min.js

[403 GET / HEAD Request: November 9, 2014 11:28 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 192.99.40.137
Host Name: ns7000255.ip-192-99-40.net
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http://www.domaintuno.com/d/dondrub.com
REQUEST_URI: /
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (compatible; DomainTunoCrawler/0.1; +http://www.domaintuno.com/robot)

[AITpro Admin]

Also if you do not want to see the Security Log Alerts displayed in the WordPress Dashboard you can turn them off on the S-Monitor page.  We have Security Log Alerts turned off on all our sites since a new Alert is triggered  by blocked hackers, spammers, bad bots, etc. etc. etc. at least once per minute on all of our sites.

[Chris Moon]

Thanks Ed for taking the time to explain how the Security Log file works.

I just need to be clear what I need to do with the other sites effected:
1. Turn off ARQ
2. Delete existing Plugin Firewall Whitelist, Save Whitelist Options and activate the Plugin Firewall
3. set ARQ to 15 mins and turn on.

Have I got it right?

[AITpro Admin]

The Plugin Firewall and ARQ are 2 separate and completely different security features so nope you would not do anything with ARQ.  You can probably just follow the steps that I posted already:  http://forum.ait-pro.com/forums/topic/firewall-autopilot-mode-new-whitelist-rules/#post-19008

[AITpro Admin]

The cause of the blank AutoPilot Whitelist rule Security Log entries has been fixed in BPS Pro 9.9.  It was a simple checking condition that needed to be added if no new Plugin Firewall whitelist rules were found.  ie if no new rules are found then do nothing instead of logging a blank AutoPilot Whitelist Security log entry.  We have a few more things that need to be done in BPS Pro 9.9 so 9.9 should be released in 5-10 days.

[Author]

Posts