BFHS blocks SOME users (IP's) from validating their Serial Key

Home Forums BulletProof Security Free BFHS blocks SOME users (IP's) from validating their Serial Key

This topic contains 1 reply, has 2 voices, and was last updated by  AITpro Admin 5 months, 2 weeks ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #34492

    Paul Mersel
    Participant

    Hi,

    I have customers validating their serial keys using Woocommerce Serial Key. While at first BPS blocked that process, a whitelist rule was created by yourselves and that fixed the issue.

    Sometimes however customers keep having problems. I found this in the log (xxx’s for privacy):

    
    [403 GET Request: 07/11/2017 - 1:01 AM]
    BPS: 2.8
    WP: 4.8.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 162.156.35.xxx
    Host Name: d162-156-35-xxx.bchsia.telus.net
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 162.156.35.xxx
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /?wc-api=validate_serial_key&serial=VWUVSA-XXXXX-49PSL2-4UXWAQ-YWHK7D-PTZAFH%20SBB%20CFF%20FFS%20Re%20620%20for%20TS2017%20(v4.0)&sku=2014-ENG-RE66-Platinum-V3.0&uuid=https://www.mersel.nl/
    QUERY_STRING: wc-api=validate_serial_key&serial=VWUVSA-XXXXXX-49PSL2-4UXWAQ-YWHK7D-PTZAFH%20SBB%20CFF%20FFS%20Re%20620%20for%20TS2017%20(v4.0)&sku=2014-ENG-RE66-Platinum-V3.0&uuid=https://www.mersel.nl/
    HTTP_USER_AGENT: NSIS_Inetc (Mozilla)
    
    

    This specific (Canadian) IP is getting blocked (Hacker/Spammer).

    Questions:

    1. Why is this (or some other specific IP) being blocked while 99% of the time there is no problem?
    2. How can I fix this?

    Thank you for your help.

    Paul Mersel

    #34494

    AITpro Admin
    Keymaster

    I see a couple of potential causes for a problem:  SERVER_PROTOCOL: HTTP/1.0 means that outdated Proxy/Load Balancer software is in use or the person with IP address: 162.156.35.xxx is using an old version of Proxy software or this could be a bad bot.  If you are using the HTTP/1.0 Server Protocol Bonus Custom Code here > https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/ it would block that user/request.

    The Query Sting has several whitespaces: %20 = whitspaces. So it is possible that this BPS Root htaccess security rule is blocking that request (unlikely, but still possible): RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.