Home › Forums › BulletProof Security Free › Jetpack SSO – unable to login, locked out
Tagged: Jetpack
- This topic has 4 replies, 1 voice, and was last updated 3 years, 5 months ago by
AITpro Admin.
-
AuthorPosts
-
AITpro Admin
KeymasterEmail Question:
I’d be grateful if you could help with the issues I’m having logging into my wordpress account.I have a security feature in place where after three failed attempts it locks me out. I’m happy with this but I’m typing in the correct username and password but it tells me it’s incorrect and doesn’t log me in…. I’ve changed the file name with my hosting provider… log in… then change the file name back again but it doesn’t work it still does not allow me to login.
KeymasterI checked your website and you have Jetpack installed and are using Jetpack SSO for login security protection. I assume that BPS Login Security and Jetpack SSO login security cannot be used together since they are both doing the same or similar things. You will need to choose which login security protection you would like to use and turn off Login Security protection in the other plugin.
KeymasterEmail Question:
I’ve run into another scenario. I have a site with Jetpack SSO enabled and one of your forum resources pages mention that BPS Pro cannot be used along side Jetpack SSO since they both do the same thing. This post is from 2017 – Is that still valid? I tried (a) disabling the LSM module and (b) adding the client’s IP address to the whitelist (PFW) but the problem persists.
https://forum.ait-pro.com/forums/topic/jetpack-sso-unable-to-login-locked-out/
On this site, I, as the admin, can successfully login using Jetpack SSO. However, the client using an author role account, is facing trouble (screenshot attached) and I see a similar security log record.
[403 GET Request: November 4, 2020 - 9:46 pm] BPS Pro: 14.9 WP: 5.5.3 Event Code: WPADMIN-SBR Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 2222:2222:222:eee:eeee:e222:2e22:2222 Host Name: 2222:2222:222:eee:eeee:e222:2e22:2222 SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-admin/?redirect_to=https://example.com/wp-admin/&request_redirect_to=https://example.com/wp-admin/&calypso_env=production&jetpack-sso-auth-redirect=1 QUERY_STRING: redirect_to=https://example.com/wp-admin/&request_redirect_to=https://example.com/wp-admin/&calypso_env=production&jetpack-sso-auth-redirect=1 HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36
Any suggestions to help a user login with Jetpack SSO – just as the admin can?
KeymasterThis solution did not work – see the following forum reply below.
Sent this possible solution > pending verification that it works.
1. Copy the wp-admin Query String skip/bypass rule for the Jetpack SSO plugin into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES.
2. Click the Save wp-admin Custom Code button. Note: If you see a 403 error or are unable to save this custom code due to ModSecurity being installed on your server, click the Encrypt Custom Code button first and then click the Save wp-admin Custom Code button.
3. Go to the BPS Pro > Setup Wizard page > run the Pre-Installation Wizard and the Setup Wizard. Note: For BPS free just run the Setup Wizard.# Jetpack SSO wp-admin Query String skip/bypass rule # RewriteCond %{QUERY_STRING} (.*)jetpack-sso-auth-redirect(.*) [NC] # RewriteRule . - [S=2]KeymasterUPDATE: This working solution for Jetpack SSO has been added to the Setup Wizard AutoFix feature in BPS Pro 15 and BPS 4.4.
The solution above did not work, but this solution below did work.
1. Copy the modified wp-admin Query String Exploits code into this BPS wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
2. Click the Save wp-admin Custom Code button. Note: If you are unable to save the modified custom htaccess code due to ModSecurity blocking saving the custom htaccess code then click the Encrypt wp-admin Custom Code button first and then click the Save wp-admin Custom Code button.
3. Go to the BPS Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard. For BPS free run the Setup Wizard.# BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently. RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR] RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR] RewriteCond %{THE_REQUEST} etc/passwd [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR] RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR] RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR] RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR] #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR] RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR] RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR] RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR] RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR] RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR] RewriteCond %{QUERY_STRING} (sp_executesql) [NC] RewriteRule ^(.*)$ - [F] # END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS -
AuthorPosts
- You must be logged in to reply to this topic.