Security Log and HTTP Error Log, facebook 403 errors

[apparence]

Thanks for this really pro and great support !!!!
I’d delete my logs file, and instal new BPS Pro 531… work fine now. Wordfence author don’t give me some news… i’m waiting again….
new log file is now light with 541 octet contain just test log (clicking the Test Error Log button to generate a test php error in the php error log) :

[BPS Pro htaccess Protected Secure PHP Error Log]
[22-Nov-2012 11:25:24] PHP Warning:  copy() [function.copy]: Filename cannot be empty in /homepages/35/XXXXXXXXXX/htdocs/myfolderwebsite/wp-content/plugins/bulletproof-security/admin/php/php-options.php on line 2440
[22-Nov-2012 11:25:53] PHP Warning:  copy() [function.copy]: Filename cannot be empty in /homepages/35/XXXXXXXXXX/htdocs/myfolderwebsite/wp-content/plugins/bulletproof-security/admin/php/php-options.php on line 2440

no new error today.But in http_error_log.txt:
several problem with :

HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)

and new 403 since 11/22/2012:

>>>>>>>>>>> 403 Error Logged [11/22/2012 9:49 PM] <<<<<<<<<<<
REMOTE_ADDR: 66.220.152.3
Host Name: out-ar3.tfbnw.net
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /cartes-de-voeux/product/cartes-voeux-sexy-legs-2013/?fb_action_ids=4593335405145%2C4593327684952%2C4593319924758&fb_action_types=og.likes&fb_source=other_multiline&action_object_map=%7B%224593335405145%22%3A457631740959841%2C%224593327684952%22%3A430599876994296%2C%224593319924758%22%3A303176719787396%7D&action_type_map=%7B%224593335405145%22%3A%22og.likes%22%2C%224593327684952%22%3A%22og.likes%22%2C%224593319924758%22%3A%22og.likes%22%7D&action_ref_map=%5B%5D
QUERY_STRING: 
HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)

>>>>>>>>>>> 403 Error Logged [11/22/2012 9:49 PM] <<<<<<<<<<<
REMOTE_ADDR: 109.215.159.11
Host Name: APoitiers-652-1-519-11.w109-215.abo.wanadoo.fr
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.facebook.com/l.php?u=http%3A%2F%2Fwww.shop-in.fr%2Fcartes-de-voeux%2Fproduct%2Fcartes-voeux-sexy-legs-2013%2F%3Ffb_action_ids%3D4593335405145%252C4593327684952%252C4593319924758%26fb_action_types%3Dog.likes%26fb_source%3Dother_multiline%26action_object_map%3D%257B%25224593335405145%2522%253A457631740959841%252C%25224593327684952%2522%253A430599876994296%252C%25224593319924758%2522%253A303176719787396%257D%26action_type_map%3D%257B%25224593335405145%2522%253A%2522og.likes%2522%252C%25224593327684952%2522%253A%2522og.likes%2522%252C%25224593319924758%2522%253A%2522og.likes%2522%257D%26action_ref_map%3D%255B%255D&h=dAQEFlfXp&s=1
REQUEST_URI: /cartes-de-voeux/product/cartes-voeux-sexy-legs-2013/?fb_action_ids=4593335405145%2C4593327684952%2C4593319924758&fb_action_types=og.likes&fb_source=other_multiline&action_object_map=%7B%224593335405145%22%3A457631740959841%2C%224593327684952%22%3A430599876994296%2C%224593319924758%22%3A303176719787396%7D&action_type_map=%7B%224593335405145%22%3A%22og.likes%22%2C%224593327684952%22%3A%22og.likes%22%2C%224593319924758%22%3A%22og.likes%22%7D&action_ref_map=[]
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20100101 Firefox/16.0

>>>>>>>>>>> 403 Error Logged [11/22/2012 9:49 PM] <<<<<<<<<<<
REMOTE_ADDR: 66.220.152.1
Host Name: out-ar1.tfbnw.net
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /cartes-de-voeux/product/carte-voeux-2013-cubeyear/?fb_action_ids=4593335405145%2C4593327684952%2C4593319924758&fb_action_types=og.likes&fb_source=other_multiline&action_object_map=%7B%224593335405145%22%3A457631740959841%2C%224593327684952%22%3A430599876994296%2C%224593319924758%22%3A303176719787396%7D&action_type_map=%7B%224593335405145%22%3A%22og.likes%22%2C%224593327684952%22%3A%22og.likes%22%2C%224593319924758%22%3A%22og.likes%22%7D&action_ref_map=%5B%5D
QUERY_STRING: 
HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)

>>>>>>>>>>> 403 Error Logged [11/22/2012 9:49 PM] <<<<<<<<<<<
REMOTE_ADDR: 109.215.159.11
Host Name: APoitiers-652-1-519-11.w109-215.abo.wanadoo.fr
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.facebook.com/l.php?u=http%3A%2F%2Fwww.shop-in.fr%2Fcartes-de-voeux%2Fproduct%2Fcarte-voeux-2013-cubeyear%2F%3Ffb_action_ids%3D4593335405145%252C4593327684952%252C4593319924758%26fb_action_types%3Dog.likes%26fb_source%3Dother_multiline%26action_object_map%3D%257B%25224593335405145%2522%253A457631740959841%252C%25224593327684952%2522%253A430599876994296%252C%25224593319924758%2522%253A303176719787396%257D%26action_type_map%3D%257B%25224593335405145%2522%253A%2522og.likes%2522%252C%25224593327684952%2522%253A%2522og.likes%2522%252C%25224593319924758%2522%253A%2522og.likes%2522%257D%26action_ref_map%3D%255B%255D&h=FAQG75ieR&s=1
REQUEST_URI: /cartes-de-voeux/product/carte-voeux-2013-cubeyear/?fb_action_ids=4593335405145%2C4593327684952%2C4593319924758&fb_action_types=og.likes&fb_source=other_multiline&action_object_map=%7B%224593335405145%22%3A457631740959841%2C%224593327684952%22%3A430599876994296%2C%224593319924758%22%3A303176719787396%7D&action_type_map=%7B%224593335405145%22%3A%22og.likes%22%2C%224593327684952%22%3A%22og.likes%22%2C%224593319924758%22%3A%22og.likes%22%7D&action_ref_map=[]
QUERY_STRING: 
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20100101 Firefox/16.0

>>>>>>>>>>> 403 Error Logged [11/24/2012 10:12 AM] <<<<<<<<<<<
REMOTE_ADDR: 174.129.114.179
Host Name: ec2-174-129-114-179.compute-1.amazonaws.com
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: REQUEST_URI: /cartes-de-voeux/tag/ameublement/
QUERY_STRING: 
HTTP_USER_AGENT: Readability/1f1977 - http://readability.com/about/

Best regards

[AITpro Admin]

HTTP Status Codes that are logged by BulletProof Security Pro in the http_error_log.txt Log File are:

400 Bad Request
403 Forbidden
404 Not Found

NOTE:  In order to have 404 Not Found errors logged in your http_error_log.txt file you will need to copy the BPS Pro 404.php template file code into your Theme’s 404.php template file.  The BPS Pro 404.php template file is located here – /bulletproof-security/404.php file.  Open the 404.php template file with a code editor and you will see copy and paste instructions within the BPS Pro 404.php template file on how and where to copy and paste the code into your Theme’s 404.php template file.

400 Bad Request
Cause:   The request sent to the Website/Server was malformed, therefore the Website/Server was unable to process the request.

403 Forbidden
Cause:  The request sent to the Website/Server is refused by the Server.  The Server explicitly refuses to allow the requested action.

404 Not Found
Cause:  The request sent to the Website/Server was not found by the Server. 

General Information About .htaccess Files
.htaccess files are Server Configuration files – to be technically correct they are classified as – distributed configuration files.  Since .htaccess files are Server Configuration files they are processed first before anything else on your website – php code, html code, etc.  If you explicitly forbid an action or particular Query String or other coding pattern in an .htaccess file then the request that was made to your Website/Server will be stopped/Forbidden before it ever reaches your website coding since .htaccess code/files is/are processed first before anything else on your Website/Server.  .htaccess files are generally similar to a Firewall or Router depending on the .htaccess code that is used in an .htaccess file.  If you add IP Address (hostname, user agent, etc.) blocking .htaccess code to an .htaccess file then the .htaccess file can be technically classified as a Firewall.  If you add IP Address (hostname, user agent, etc.) conditions in an .htaccess file then you can “route” a particular IP Address (hostname, user agent, etc.) based on your conditions/security rules in your .htaccess file.

In the first 403 Forbidden logged event you posted this is why the request is being blocked:
The Request URI contains these explicity Forbidden url encoded coding characters in your Root .htaccess file:  %5B%5D
These url encoded characters are the square bracked coding characters [ and ].
To allow these coding characters and not block them typically you would edit these security filers in your Root .htacess file, but it may also be possible to create a skip/bypass rule for whichever plugin this is or if this a facebook like coming from facebook itself then another solution would be to whitelist the facebook User Agent.  NOTE OF CAUTION:  User Agents can be easily faked/spoofed.

Before modification
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||%3c|%3e|%5b|%5d).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\0|\x04|\x08|\r|\x1b|\x20|\x3c|\x3e|\x5b|\x5d|\x7f).* [NC,OR]

After modification
RewriteCond %{QUERY_STRING} ^.*(\(|\)||%3c|%3e).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\0|\x04|\x08|\r|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]

The second 403 Forbidden logged event is actually the same event that occurred in the first 403 Forbidden logged event.  Your Website/Server refused the first event and this event was logged again after the first request was processed and Forbidden.

The third 403 Forbidden logged event is a second attempt made again and is the same as the first Forbidden logged event.

The fourth 403 Forbidden logged event is actually the same event that occured in the third 403 Forbidden logged event.

The fifth 403 Forbidden logged event is either logged because this was a Spam bot that was Forbidden or a Comment Spam Bot was attempting to auto comment spam your website comment form and was Forbidden or maybe it was a legitimate request from Readability, but I doubt it is legitimate because of what is displayed in the User Agent parameters and also because the Host Name is amazonaws.com and not Readability.

Summary

It is actually safer to edit your root .htaccess file and edit the BPS Pro security filters as shown above and remove the square bracket coding characters from being blocked then it would be to create an .htaccess skip/bypass rule that allowed the facebook User Agent.

[Author]

Posts