403 GET|HEAD Request Log Entries

Home Forums BulletProof Security Pro 403 GET|HEAD Request Log Entries

Viewing 15 posts - 46 through 60 (of 95 total)
  • Author
    Posts
  • #19004
    Marty
    Participant

    Here is an example website:  tertius.opnutrition.net.  You correctly identified my dedicated server as being a Cloud South server which uses Server Protocol HTTP/1.1.  You might be right that it is just performing its function properly and blocking spam but the numbers are just so high (tens of thousands per day).  If there is anything else you can suggest that I check I will appreciate it very much- also, if you have a suggestion for subdomain wildcard white listing.  Thanks!

    #19006
    AITpro Admin
    Keymaster

    This site definitely has some URL/permalink issues/problems, which appears to either be the root cause of any/all problems or something that needs to be fixed before moving forward with anything else. So what you want to do is look at these things:

    Go to your WordPress Settings page and make sure you have a valid permalink structure.
    I am not familiar with Network/Multisite subdomain sites and I assume you have a Network/Multisite subdomain installation and are using wildcards so I cannot offer much help or suggestions with that. Not really sure where would be the best place to look for help regarding a Netwwork/Multisite subdomain installation, but probably the wordpress.org forum is your best bet.

    Note: This forum website is a single standard WordPress installation and it is a typical subdomain site where a DNS A record has been created for this forum site and that record points to this forum site’s installation folder name /forum/.

    #19014
    Marty
    Participant

    Yes, I see that now, thanks for pointing it out.  Definitely something I need to correct in the httpd.config file.  However, that is really not the issue I am trying to understand.  The error log is to our primary site https://opnutrition.com to which all the ancillary/supporting sites (such as the aforementioned tertius.opnutition.net) point.  What doesn’t make sense is that I am getting all these 403 errors only when we do posts on the supporting sites which point to primary site https://opnutrition.com.  By the way, I really appreciate your assistance with this matter.

    #19020
    AITpro Admin
    Keymaster

    Yes I understand that, but let me give you analogy so that you can see why it would not be smart to look at whatever that problem is before fixing the bigger problem that I saw, which is probably the root cause or related to the 403 errors.  Let’s say you are in a boat and the boat is sinking because it has a hole in it.  One of the oars is not working correctly.  You would not want to spend time fixing the oar and would instead want to patch the hole in the boat first.  I believe that your subdomain site is not setup correctly.  I could be wrong, but that is what it looks like to me.  So you should fix that first.

    #19037
    Marty
    Participant

    Ok, I corrected the httpd.conf which was just a temporary oversight when I reconfigured the server.  The 403 error logs were coming in before permalink problem and are still coming now that it has been fixed.  As soon as I did a post, the error log arrived.  The problem was not being cause by the permalink mistake.

    #19041
    AITpro Admin
    Keymaster

    Ok I see that your Permalinks/URL’s are now working correctly instead of being completely broken like they were before.  So that is good progress.  It looks like you are using the Default links instead of using Custom Permalinks.  ie ?p=50 which of course you do not want to use. Either select Post Name or enter the Custom Permalink structure tag like: /%postname%/ or use one of the other Custom Permalink structures.  Now what type of WordPress site is this?  Is it a Network/Multisite subdomain installation?

    #19042
    Marty
    Participant

    The opnutrition.com site, the one generating the huge error logs, is single site – no subdomains.  It is on a GoDaddy server.

    #19043
    AITpro Admin
    Keymaster

    The tertius subdomain site appears to be setup correctly:

    [host] => tertius.opnutrition.net
    [class] => IN
    [ttl] => 30
    [type] => A
    [ip] => 108.162.194.43

    At this point I do not know if the log entries are all blocked hackers and spammers etc. so the current issue is that you do not want to have any log entries from the subdomain site logged in the main site’s Security Log. You would prevent that from happening by creating a rewriterule in the main site’s root htaccess file. See this forum topic for the hierarchical structure (parent to child) of multiple sites under a hosting account and how to do what you want to do:  http://forum.ait-pro.com/forums/topic/htaccess-files-for-multiple-website-domains/

    #19044
    AITpro Admin
    Keymaster

    And just a reminder we get around 500,000 blocked hackers and spammers logged per month on average so that would be around 16,600+ per day.

    #19129
    guy te watson
    Participant

    [Forum Topic merged into this relevant Topic]

    One other question.  How do I whitelist my server the domain is on and my own computer that I work on from being security warnings when it is me working on the server that is generating the warning?  Some logs showing this is below. How do I whitelist my computer’s IP address from getting blocked/locked by the login security and the server IP activities I do?

    [403 GET / HEAD Request: November 14, 2014 7:07 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 198.57.216.13
    Host Name: hol.holpen.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /sanmonlafl-re-demos/register-today-to-see-a-full-reputation-marketing-review-video-done-for-you/
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/4.0; http://demos.webyellowpages.tv
    
    [403 GET / HEAD Request: November 14, 2014 7:10 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 198.57.216.13
    Host Name: hol.holpen.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2014/10/Demo-Not-For-Public-Use-3.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/4.0; http://demos.webyellowpages.tv
    
    [403 GET / HEAD Request: November 14, 2014 7:10 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 198.57.216.13
    Host Name: hol.holpen.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /sanmonlafl-re-demos/register-today-to-see-a-full-reputation-marketing-review-video-done-for-you/
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/4.0; http://demos.webyellowpages.tv
    
    [403 GET / HEAD Request: November 14, 2014 7:10 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 198.57.216.13
    Host Name: hol.holpen.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2014/10/Demo-Not-For-Public-Use-3.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: WordPress/4.0; http://demos.webyellowpages.tv
    #19136
    AITpro Admin
    Keymaster

    @ guy te watson – I believe these are just nuisance errors that you can disregard.  Check that everything is working correctly.  If everything is working correctly then you do not need to do anything.  The only unusual thing that I see is that the Server Protocol in the Security Log entries is HTTP/1.0 which is oudated and was phased out 15 years ago in 1999.  The new Server Protocol as of 1999 – 15 years ago is HTTP/1.1.

    #19357
    Krzysztof
    Participant

    Each time I upload a photo or a post I get something like this in my log:

    [403 GET / HEAD Request: 25/11/2014 - 16:46]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 185.5.98.32
    Host Name: vz13304.dahost.pl
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-content/uploads/2014/11/WIZ_100-00-lotow-w-ciagu-12-miesiecy.jpg
    QUERY_STRING: 
    HTTP_USER_AGENT: WordPress/4.0.1; https://www.infolotnicze.pl
    

    This is my server treated as spammer – my server Ip and wordpress. How to fix this? Everything works ok and displays ok but still – an error is na error
    I also get tons of things like this:

    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 25/11/2014 - 06:01]
    Whitelist Rule: 
    
    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 25/11/2014 - 06:30]
    Whitelist Rule: 
    
    [Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created: 25/11/2014 - 06:50]
    Whitelist Rule:

    There are no new plugins or any changes on the site. No one was even logged in at that time.

    #19363
    AITpro Admin
    Keymaster

    If you are successfully able to upload a photo or create a post then you can just ignore these log entries and consider them as just nuisance log entries.  The only unusual thing that I see is that you are using an outdated Server Protocol HTTP/1.0, which is not a big deal, but probably has something to do with these log entries.

    The Plugin Firewall AutoPilot Mode New Whitelist Rule(s) Created log entries issue has been fixed in BPS Pro 9.9, which will be released somewhere around 6 days. You can ignore these log entries for now.  See the link below for more info.

    http://forum.ait-pro.com/forums/topic/firewall-autopilot-mode-new-whitelist-rules/#post-19322

    #22374
    jenni101
    Participant

    [Topic has been merged into this relevant Topic]

    Can I just check what I can add from the below log file in order to stop logging this spam bot (from the HTTP_USER_AGENT)?

    I’ve been getting heaps from this one, but I’m not sure which bit from the user agent i should add to stop logging it. I googled some of the parts like WOW64, and it didn’t seem to be related to anything malicious. Or can I input their IP to stop logging them? Would appreciate your advice – many thanks.

    [xxxxxxxx Form - POST Request Logged: xxxxxxxxxx]
    CAPTCHA Entered: size=
    BOT/HUMAN: Confirmed SpamBot - Bot Trap Value Entered: style=
    REMOTE_ADDR: 82.196.92.244
    Host Name: 82.196.92.244
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: POST
    HTTP_REFERER:
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    #22426
    AITpro Admin
    Keymaster

    This is a blocked spambot or hackerbot and that is what the Security Log is for – to log blocked hackers and spammers.  The Security Log is automatically zipped and emailed to you and replaced with a new Security Log when it reaches 500KB in size.  So you do not need to do anything.

Viewing 15 posts - 46 through 60 (of 95 total)
  • You must be logged in to reply to this topic.