403 GET|HEAD Request Log Entries

Home Forums BulletProof Security Pro 403 GET|HEAD Request Log Entries

Viewing 15 posts - 76 through 90 (of 95 total)
  • Author
    Posts
  • #26901
    AITpro Admin
    Keymaster

    @ MMBCB – I checked your site with Google Chrome Developer tools and did not see any 403 errors. SERVER_PROTOCOL: HTTP/1.0 usually means the Request was made by a spambot or spammer.

    #27021
    MMBCB
    Participant
    #27023
    AITpro Admin
    Keymaster

    I checked the forum link and posted a response.  Please provide the information requested in my response in that forum thread.

    #27971
    John Galt
    Participant

    [Topic has been merged into this relevant Topic]

    Over the last few days our subscribers have been reporting “403 Forbidden” errors when attempting to access our site. Today, after going through plugin settings and then running BPS Wizard, immediately the entire became 403 Forbidden inaccessible to anyone, including site admins. We’ve already contacted our hosting company and requested sever logs, which points to BPS Security plugin as the 403 issue. Below you will find a small snippet of hosting error reporting logs: (Note: I’ve removed the server configuration path from the hosting error log entries below, replacing the path with “……………………….”)

    Please advise and thank you in advance!

    ~~~~~~~~~~~~~~
    Hosting Error Log:
    ~~~~~~~~~~~~~~
    
    referer: http://www.estatetransformation.com/wx1g
    [Wed Jan 27 13:08:50 2016] [error] [client 82.85.14.105] client denied by server configuration: /home/...............................................wp-content/plugins/bulletproof-security/403.php
    ~~~~~~~~~~~~~~
    BPS Security Log: (just a few log entries from January 28th only)
    ~~~~~~~~~~~~~~
    
    [403 GET Request: January 28, 2016 - 4:40 am]
    Event Code: PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 24.140.10.215
    Host Name: cable-10-215.sssnet.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/wccp-pro/watermark.php?type=dw&position=center-
    center&text=WATERMARKED&font_color=%23000000&r_text=estatetransformation.com&r_font_color=
    %23efefef&font_size_factor=90&r_font_size_factor=55&text_transparency=65&rotation=40&imagefilter=None&signa
    ture=This+image+is+protected&stamp=http://estatetransformation.com/wp-content/plugins/wccp-
    pro/images/testing-logo.png&src=/Images/template_mid_whitenb.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    
    [403 GET Request: January 28, 2016 - 4:50 am]
    Event Code: PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 70.106.227.243
    Host Name: pool-70-106-227-243.clppva.fios.verizon.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/wccp-pro/watermark.php?type=dw&position=center-
    center&text=WATERMARKED&font_color=%23000000&r_text=estatetransformation.com&r_font_color=
    %23efefef&font_size_factor=90&r_font_size_factor=55&text_transparency=65&rotation=40&imagefilter=None&signa
    ture=This+image+is+protected&stamp=http://estatetransformation.com/wp-content/plugins/wccp-
    pro/images/testing-logo.png&src=/Images/template_top_favicon.png
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
    #27974
    AITpro Admin
    Keymaster

    Looks like a typical RFI hacker pattern that is being blocked by these root htaccess filters below.  Do these steps and let me know if the simulated RFI hacking attempt against your website is allowed and not blocked.  Note an additional whitelist rule may be required in the Primary RFI security filter as well is this does not work.

    1. Copy the modified BPS Query String Exploits below to this BPS Root Custom Code text box: CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    #31345
    Jen
    Participant

    [Topic has been merged into this relevant Topic]
    Hello,

    I keep getting BPS Security Log emails every 2 hour or so. “Total 403 GET Log Entries” for each email ranges from 900 – 1300. Is this normal? Or is there anything I need to do? Here is a part of the code:

    BPS SECURITY LOG
    =================
    =================
    
    [BEGIN Total # of Security Log Entries by Type:]
    Total 403 GET Request Log Entries: 1025
    [END Total # of Security Log Entries by Type:]
    
    [403 GET Request: Nov 10, 2016 - 3:07 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.210.97.205
    Host Name: ec2-54-210-97-205.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /65-gorgeous-fall-nail-art-designs-to-try-now/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.45 Safari/535.19
    
    [403 GET Request: Nov 10, 2016 - 3:07 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.85.191.35
    Host Name: ec2-54-85-191-35.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /best-arm-workouts-for-women
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    
    [403 GET Request: Nov 10, 2016 - 3:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.210.209.38
    Host Name: ec2-54-210-209-38.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /35-ways-to-rock-the-bomber-jacket-trend/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    
    [403 GET Request: Nov 10, 2016 - 3:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.165.24.101
    Host Name: ec2-54-165-24-101.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /65-gorgeous-fall-nail-art-designs-to-try-now/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
    
    [403 GET Request: Nov 10, 2016 - 3:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.210.97.205
    Host Name: ec2-54-210-97-205.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /65-gorgeous-fall-nail-art-designs-to-try-now/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.45 Safari/535.19
    
    [403 GET Request: Nov 10, 2016 - 3:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.210.101.142
    Host Name: ec2-54-210-101-142.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /best-arm-workouts-for-women
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
    
    #31348
    AITpro Admin
    Keymaster

    @ Jen – Post a link to your website so I can take a look at the frontend of your website for any obvious causes for this problem.

    #31356
    Jen
    Participant

    Thank you for the fast response!

    It’s [URL removed/deleted]

    #31357
    AITpro Admin
    Keymaster

    @ Jen – You are using Amazon CloudFront – Content Delivery Network (CDN) and also using W3TC on your website.  The Security Log 403 errors are for your Amazon CDN.  I believe the problem has to do with using the W3TC disk enhanced option.  Try switching that W3TC option to disk basic.  I believe those are the W3TC setting choices, but it has been several years since I checked or tested W3TC.   Also are you using any BPS Bonus Custom Code in BPS Custom Code?

    <!-- Performance optimized by W3 Total Cache. Learn more: https://www.w3-edge.com/products/
    
    Page Caching using disk: enhanced
    Content Delivery Network via cdn.lovika.com
    #31359
    Jen
    Participant

    Thanks so much for your response! Just changed it to “Disk: Basic” (I’ll keep you updated with the result)

    Quick question – I am not sure if this is an related issue. But when I google my site, the google result shows as cdn.mysite.com instead of www.mysite.com.

    Is it because of the same setting? I’m not sure if changing it to “Disk: Basic” will also resolve this prefix URL issue (showing as cdn. instead of www.), which I’ve been trying to solve for the last several weeks OR if it’s totally unrelated.

    Thank you again!

    #31361
    AITpro Admin
    Keymaster

    @ Jen – Unfortunately, I know very little about CDN’s and have not used one before, but I’m pretty sure that your website should be indexed in Google search results without the cdn subdomain.  I did this Google search:  “google search results show CDN subdomain” and found this link:  http://webmasters.stackexchange.com/questions/59018/remove-subdomains-from-google-index-and-stop-indexing-them  If you do not find the answer in that link then look around some more and see if you can find the answer.  Unfortunately, I can’t offer any other guesses.

    #31362
    Jen
    Participant

    Ok, Thank you so much again! (could you please remove the site URL – I wasn’t able to edit it)

    #31365
    Jen
    Participant

    Hi, I keep getting the log even though I switched to “Basic: Disk” – Not sure why this keeps happening. This time it shows “Total 403 GET Request Log Entries: 1219”. Here is a part of the code (looks similar to the previous one I provided).

    BPS SECURITY LOG
    =================
    =================
    
    [BEGIN Total # of Security Log Entries by Type:]
    Total 403 GET Request Log Entries: 1219
    [END Total # of Security Log Entries by Type:]
    
    [403 GET Request: Nov 11, 2016 - 1:07 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 52.90.73.229
    Host Name: ec2-52-90-73-229.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /65-gorgeous-fall-nail-art-designs-to-try-now/
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507         Firefox/12.0
    
    [403 GET Request: Nov 11, 2016 - 1:07 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.210.101.148
    Host Name: ec2-54-210-101-148.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /best-arm-workouts-for-women
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    
    [403 GET Request: Nov 11, 2016 - 1:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.86.137.210
    Host Name: ec2-54-86-137-210.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /65-gorgeous-fall-nail-art-designs-to-try-now/
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
    
    [403 GET Request: Nov 11, 2016 - 1:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.172.246.155
    Host Name: ec2-54-172-246-155.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /chanel-2016-fall-winter-handbags/
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507         Firefox/12.0
    
    [403 GET Request: Nov 11, 2016 - 1:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.210.101.148
    Host Name: ec2-54-210-101-148.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /summer-white/
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3         (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3
    
    [403 GET Request: Nov 11, 2016 - 1:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.152.162.237
    Host Name: ec2-54-152-162-237.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /how-to-wear-slip-dress-trend/
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/535.19 (KHTML,         like Gecko) Chrome/18.0.1025.45 Safari/535.19
    
    [403 GET Request: Nov 11, 2016 - 1:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.210.209.38
    Host Name: ec2-54-210-209-38.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /summer-white/
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3         (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3
    
    [403 GET Request: Nov 11, 2016 - 1:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.210.99.189
    Host Name: ec2-54-210-99-189.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /best-arm-workouts-for-women
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET         CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR         3.0.04506.648)
    
    [403 GET Request: Nov 11, 2016 - 1:08 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 107.22.97.6
    Host Name: ec2-107-22-97-6.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /how-to-wear-slip-dress-trend/
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET         CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30; .NET CLR         3.0.04506.648)
    
    #31366
    AITpro Admin
    Keymaster

    @ Jen – Ok well it has something to do with your CDN since all of the Security Log entries are amazon log entries.  What I don’t know is why that is happening.  Lots of people use CDN’s with BPS and these 403 errors do not occur/are not logged for the amazon bot.  So either something is not setup correctly with your CDN, you have corrupt cache somewhere (probably on the CDN side), W3TC settings problem, another plugin is conflicting with things or last, but not least – even though these amazon bot log entries say they are GET Requests it is possible that they are really HEAD Requests, but due to something that is fubar with something the bot Requests look like GET Requests to BPS or they are fubar HEAD Requests failing as GET Requests.

    So the only suggestions I can make are these suggestions:
    Try whitelisting HEAD Requests by doing the steps below:
    1. Copy the REQUEST METHODS FILTERED .htaccess code below to the BPS Root Custom Code text box:  CUSTOM CODE REQUEST METHODS FILTERED
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    Or deactivate Root Folder BulletProof Mode and just use the standard default root htaccess file.

    #33790
    Chris
    Participant

    Hello!

    We are two admin on a single wordpress website. My friend has setup Jetpack and connected it to his wordpress.com account to get statistics.

    Today, when I tried to connect to the admin through my own wordpress.com account I get an error message. (But afterwards I was able to connect by entering “myurl/wp-admin” as usual.

    Of course there was an error log shown below.

    My question is : how can I ensure there will be no more errors like this one for me and my friend ? (My friend hasn’t tested that yet but…)

    Thanks for your support !

    [403 GET Request: 5 aout 2017 - 13:30]
    BPS: 2.3
    WP: 4.8.1
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 90.14.xxx.xxx
    Host Name: ALyon-651-1-219-173.w90-14.abo.wanadoo.fr
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://wordpress.com/
    REQUEST_URI: /wp-admin/?redirect_to=http://myurl/wp-admin/&request_redirect_to&calypso_env=production&jetpack-sso-auth-redirect=1
    QUERY_STRING: redirect_to=http://myurl/wp-admin/&request_redirect_to&calypso_env=production&jetpack-sso-auth-redirect=1
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Viewing 15 posts - 76 through 90 (of 95 total)
  • You must be logged in to reply to this topic.