Home › Forums › BulletProof Security Pro › 403 GET|HEAD Request Log Entries
Tagged: 403 error, CAPTCHA, captcha log entries
- This topic has 95 replies, 20 voices, and was last updated 10 months, 2 weeks ago by x.
-
AuthorPosts
-
AITpro AdminKeymaster
[Topic was manually moved/merged into this Topic]
Hi. New here. Please be gentle! I just got my first BPS log. I’m getting lots of 403s from seemingly innocent requests referred by Google. They are all requests for JPEGs. Can anyone explain why I’m getting these, and if it’s a good thing / by design? I am using an edited copy of the BPS hotlinking blocker, but I’m not sure if this is the cause.[403 GET / HEAD Request: 25th April, 2014 - 1.08am] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 211.253.60.18 Host Name: mail3.seoul.go.kr SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: https://www.google.com/ REQUEST_URI: /wp-content/uploads/2011/09/f-stops2.gif QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 I also just noticed that some of the errors are from the web server itself... [403 GET / HEAD Request: 25th April, 2014 - 8.12am] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: A.B.C.D Host Name: server.domain.com SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-content/uploads/2010/12/tree-explanada-alicante.jpg QUERY_STRING: HTTP_USER_AGENT: WordPress/3.9; http://mydomain.co.uk Before you ask, here's my hotlinking blocking code...("mydomain" used as placeholder for real name) # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE # BLOCK HOTLINKING TO IMAGES RewriteCond %{HTTP_REFERER} !^https?://(www\.)?mydomain\.co\.uk [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]
AITpro AdminKeymasterReplace the older Hotlink protection code with the newer Hotlink protection code here: http://forum.ait-pro.com/forums/topic/hotlink-protection-do-not-block-google-bing-or-yahoo/
Manually physically check that your images are are loading correctly by going to the image URL’s and viewing the images. The second log entry you posted shows that SERVER_PROTOCOL: HTTP/1.0 was used. If you are using the Brute Force protection code that blocks Server Protocol HTTP/1.0 then you may not be able to use that code on your particular website/server. Server Protocol HTTP/1.0 may be used in older Proxy software that you have installed on your particular server.
KeithParticipantThanks for the suggestion.
I still don’t understand what’s happening though. If I clear my browser’s cache, and google the image myself, I can see the preview and larger version fine in Google Images. So what’s happening to the other hosts?
AITpro AdminKeymasterMaybe your site is being scraped or something like that in the first log entry. The second log entry shows Server Protocol HTTP/1.0 which was phased out in 1999 – 15 years ago. The new Server Protocol is HTTP/1.1. If your server has an old Proxy software installed then it may be using the old Server protocol. Try using the newer Hotlink protection code and see what happens.
The general rule of thumb is if everything is actually working fine after checking things then you can assume that the log entries are being created because of some shady activity. Unfortunately the log entries cannot tell you exactly what that shady activity is. For example when someone is trying to scrape your website you will see your own domain name listed in the log entry. That is just the nature of scraping and mirroring.
Gary M. GordonParticipant[Topic Merged into this relevant Topic]
k4-nagios.servint.net -BFHS – Blocked/Forbidden Hacker or Spammer
The below code appeared in my Security Log. I was just curious if you can tell what this is and if I need to be concerned. It indicates the host name is from k4-nagios.servint.net My hosting company is Servint.net. I don’t have a plugin installed on my WordPress site for Nagios. I was curious if you could tell (from what I provided) if this is anything to be concerned about since it says “Hacker/Spammer”. What (if anything) might you recommend I do (or not do).[403 GET / HEAD Request: July 11, 2014 - 3:18 pm] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 209.50.225.135 Host Name: k4-nagios.servint.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: / QUERY_STRING: HTTP_USER_AGENT: check_http/v1.4.15 (nagios-plugins 1.4.15)
Thanks,
GaryAITpro AdminKeymasterNagios looks like a legitimate monitoring service. A logical guess would be that your Host has installed Nagios to monitor websites. If Nagios is making a HEAD Request then the Nagios bot will be blocked. I guess check with ServInt to see what they say.
Gary M. GordonParticipantThanks for your clarification .. oh wise one. 🙂
GaryTerry ThorntonParticipantI am seeing some 403 errors in the log and I am seeing the 403 Forbidden page even though I am logged into the site as admin. See below. This example was generated when I tried to trash a comment in my forum. The REMOTE_ADDR: 71.236.214.5 value is my ip.
[403 GET / HEAD Request: July 31, 2014 - 12:45] Event Code: WPADMIN-SBR Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/ REMOTE_ADDR: 71.236.214.5 Host Name: c-71-236-214-5.hsd1.or.comcast.net SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://www.cleanreach.com/wp-admin/edit.php?post_type=reply REQUEST_URI: /wp-admin/post.php?post=1926&action=trash&_wpnonce=55f6b6b491&_wp_http_referer=http://www.cleanreach.com/wp-admin/edit.php?post_type=reply QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
AITpro AdminKeymasterThe solution is here: http://forum.ait-pro.com/forums/topic/bbpress-sending-a-topic-to-trash-gives-403/#post-6442 You need to add a wp-admin skip/bypass rule for the post.php file.
Terry ThorntonParticipantNow that I have your attention 🙂 I am seeing some other possible false blocks. The REMOTE_ADDR: 162.251.84.188 is my site’s IP
[403 GET / HEAD Request: July 31, 2014 - 11:47] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 162.251.84.188 Host Name: vps.cleanreach.com SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: http://www.cleanreach.com REQUEST_URI: /?p=1799 QUERY_STRING: HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
AITpro AdminKeymasterWhen I use the shortlink I am redirected to your /forums/forum/general/ page without seeing any errors.
/?p=1799 is the shortlink for your /forums/forum/general/ page
GuillermoParticipantHello,
One of my sites is getting bombarded by this brute force attack at a rate of about 50-60 attempts per minute for the past 8 hours. I know the logs mean that the plugin is working, but is there anything else I can do other that just watch them keep trying? I added a deny entry to my htaccess file with the IP below (it is not changing.)
50-60 ATTEMPTS PER MINUTE FOR OVER 8 HOURS!!!
[403 GET / HEAD Request: October 23, 2014 - 5:40 am] Event Code: BFHS - Blocked/Forbidden Hacker or Spammer Solution: N/A - Hacker/Spammer Blocked/Forbidden REMOTE_ADDR: 189.28.177.50 Host Name: ns1.lancaperfume.com.br SERVER_PROTOCOL: HTTP/1.1 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: 189.28.177.50 HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /wp-login.php QUERY_STRING: HTTP_USER_AGENT:
AITpro AdminKeymasterThe Security Log is a plain text file that requires an insignificant amount of website/server resources to log attacks. Blocking and logging attacks does not slow down your website since your WordPress database is not involved and database Queries are not being used. WordPress database queries are expensive and will slow down a website if excessive queries are being made. 50-60 attacks per minute is a bit high, but is nowhere near a DoS/DDoS attack so you should not be seeing any slowness whatsoever due to these attacks.
BPS is doing its job so you do not need to do anything else. FYI – by denying/blocking IP addresses you will see those blocked IP addresses in your BPS Security Log. The thing to remember is the Security Log is just a plain text log file just like your Host Server’s log file that logs activity. The log is just logging things.
MartyParticipantWhenever I create a post designed to generate traffic from the site of the post to my primary site I get thousands of the following BPS error log entries:
The abc.com site is the site containing the post which has only links to the primary site. This error log entry is from the primary site. Is BPS blocking blocking this inbound traffic which we desperately want because there is absolutely no reason for it to be doing so? I would whitelist the posting sites we use but there are hundreds of subdomains. Is there any acceptable use of a wildcard in this situation ex.http://*.abc.com
?>>>>>>>>>>> 403 GET or Other Request Error Logged – November 7, 2014 9:36 pm <<<<<<<<<<< REMOTE_ADDR: 198.101.10.154 Host Name: 198.101.10.154 SERVER_PROTOCOL: HTTP/1.0 HTTP_CLIENT_IP: HTTP_FORWARDED: HTTP_X_FORWARDED_FOR: HTTP_X_CLUSTER_CLIENT_IP: REQUEST_METHOD: GET HTTP_REFERER: REQUEST_URI: /quantum-super-food/ QUERY_STRING: HTTP_USER_AGENT: WordPress/3.8.3; http:/abc.com
AITpro AdminKeymasterI see that the Server Protocol is HTTP/1.0 which is normally used by hackers and spammers since it allows them to do things that they cannot do with the new Server Protocol HTTP/1.1 which was started back in 1999 – 15 years ago. So I think that should be looked at first. If your server is using outdated Proxy software then that may be where the old Server Protocol is coming from or this may just me a typical blocked hacker, spammer, scraper, miner, bad bot, etc etc etc. We get around 500,000 blocked hackers/spammers logged in our Security Log file per month and this is just what is nowadays on the Internet. I see that IP Address 198.101.10.154 is in the CIDR block for CLOUD-SOUTH – Cloud South,US: http://whois.domaintools.com/198.101.10.154 Is this your server’s IP address?
It may be that there is not really any sort of problem going on and just the normal stuff is being blocked. I don’t have enough information to make that kind of assessment. If you do not want to post your domain name in the forum then send it to info at ait-pro dot com and we will check your website to see if there are any problems.
-
AuthorPosts
- You must be logged in to reply to this topic.