Security Log – Security Log 403 Errors

[AITpro AdminKeymaster]

Email Question:

Hello there.

I use BulletProof Security free version and was wondering if you offer paid support? I am getting a lot of 403 errors in my Security Log and don’t really understand what they are and would really love some help.

Thanks!

Ramsay

[AITpro AdminKeymaster]

BulletProof Security free version support is free.  This link below contains general troubleshooting information about the BulletProof Security Pro Security Log, but also contains general help information that applies to the BulletProof Security free Security Log and errors/log entries.

http://forum.ait-pro.com/forums/topic/security-log-http-error-log-read-me-first/

If you want to post some of your Security Log entries here then ONLY post 1 of each type of error.  Please do not post the same/duplicated 403 error. 

We get on average 1,500 logged 403 log entries per day.  Some of those are hacking attempts, some are hacker recons, some are spammers, some are spambots, etc etc etc.  We do not spend a whole lot of time looking at the log entries and only skim through it daily looking for any new hacking methods.  The general idea is that you should use the Security Log / HTTP Error log for troubleshooting any plugin or other coding issues/problems and then just ignore all the blocked/Forbidden hacking attempts, spambots, etc etc etc.  Thanks.

• This reply was modified 3 months, 2 weeks ago by  AITpro Admin.

[JeffMember]

I have the opposite problem.  Prior to a recent update, my log file had maybe 20 entries a day. After the update I haven’t had an entry since 1/31/13. I can’t imagine that’s accurate. I am sure that I have done something wrong, but I don’t know what.  I have read the various resources, but I am just not knowledgable enough to follow/understand what I should be doing to test my installation of BPS on my WordPress site.  Is there a really clear step-by-step process that I can follow?  Thanks so much!

[AITpro AdminKeymaster]

Do you have BPS free or BPS Pro?

[Casey SchreinerMember]

I’m having a similar issue with BPS Free … from what I’m seeing, it seems to be completely 403 errors, most of them look like they’re on old posts from crawlers, Facebook, or Amazon URLS (no idea why Amazon would be on there).
So what you’re saying is that most of these 403′s are nothing to worry about?  My log file seems to be getting up to around 500k every three or four days now.
 
sample error:

>>>>>>>>>>> 403 Error Logged - February 1, 2013 - 10:48 am <<<<<<<<<<<
REMOTE_ADDR: 184.169.203.101
Host Name: ec2-184-169-203-101.us-west-1.compute.amazonaws.com
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 10.197.26.50, 10.164.21.113
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /2013/02/01/hiking-temescal-canyon-to-skull-rock/
QUERY_STRING: 
HTTP_USER_AGENT: UnwindFetchor/1.0 (+http://www.gnip.com/)

• This reply was modified 3 months, 2 weeks ago by  AITpro Admin.

[AITpro AdminKeymaster]

There are many different types of events that can be logged.  The events that you should be primarily concerned with are any HTTP errors that would indicate that something legitimate like a plugin script is being blocked by BPS on your website.  

This is the approach I take.  Let’s say I installed a new plugin on my website and I want to make sure BPS is not blocking anything about this new plugin.  I would check the Security Log / HTTP Error log for a few days to ensure there are not any issues or problems occurring with that plugin.  

For all the other 10,000,000 hacking attempts/spambot sniffing/etc etc etc log entries that are logged during that period I completely ignore them unless a hacker is doing some new form of hacking attempt.  Most hacking attempts are the same old method over and over and over again, but from different hacker sites or victim sites.  

I have created a script that allows me to search and delete everything in the Security Log that is old / done before / seen it a million times before and what the script leaves me with is any new hacking methods.  This allows me to delete 9,999,999 repeated old/known hacking attempts / methods and I am left with just any new form of hacking attempt method.  If I did not use this automated script then I would be wasting hours every day looking at that crap.

Your particular log entry appears to be the UnwindFetchor Bot making a HEAD Request on your site – HEAD Requests are Blocked/Forbidden by default by BPS unless you want to allow this.

BUT

what you have to keep in mind is that IP addresses, host names and User Agents can all be faked.  So maybe it really was not the UnwindFetchor Bot or maybe it was.  ;)

And it seems that a lot of folks think that they need to do something about blocked hacking attempts or blocked Bot sniffing.  If they are blocked then the problem is already solved.  The log file should be used to check for any problems.  Other than that you can completely ignore all the blocked hacking attempts, etc.  BPS is doing its job and the log file will continue to log that.

• This reply was modified 3 months, 2 weeks ago by  AITpro Admin.
• This reply was modified 3 months, 2 weeks ago by  AITpro Admin.
• This reply was modified 3 months, 2 weeks ago by  AITpro Admin.

[JeffMember]

I have the free version.  I’m sorry did I post in the wrong place?
 

[AITpro AdminKeymaster]

Nope you posted in the correct Forum, but from the details of your question I was not sure if you had the Pro version or the Free version and the answer would be different depending on which version you have.  Since your question is actually a new / different question I have created a new Topic here:

http://forum.ait-pro.com/forums/topic/security-log-no-log-entries-security-log-is-not-logging-errors/

Please reply to the questions in the new Forum Topic link above.  Thanks.

[Author]

Posts