Direct Cron Job blocked – 403 error, wysija newsletters, MailPoet

Home Forums BulletProof Security Pro Direct Cron Job blocked – 403 error, wysija newsletters, MailPoet

Viewing 15 posts - 1 through 15 (of 22 total)
  • Author
    Posts
  • #19139
    Schneider
    Participant

    Hi,

    BPS pro is currently blocking running a cron job on my own server when it comes from an IPv6 address.

    [403 GET / HEAD Request: 14. November 2014 - 14:30]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 2600:xxxx::f03c:91ff:yyyy:bde4
    Host Name: 2600:xxxx::f03c:91ff:yyyy:bde4

    I have now disabled IPv6 and manually triggering the cron job does not produce the above error. But doing so with IPv6 enabled results in the blocking action. Does BPS Pro support IPv6 and if so how can I prevent this block?

    Best
    Alex

    #19144
    AITpro Admin
    Keymaster

    Please post the entire Security Log entry.  If you do not want to display your Server name or ip address then use x’s in place of actual domain names and ip addresses.

    #19145
    Schneider
    Participant

    Ok, here is the complete log – I have cloaked the IP and the url a bit:

    [403 GET / HEAD Request: 14. November 2014 - 16:25]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 2600:1234::f03c:91ff:1234:bde4
    Host Name: 2600:1234::f03c:91ff:1234:bde4
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-cron.php?1234567890987654321&action=wysija_cron&process=all&silent=1
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0
    #19148
    AITpro Admin
    Keymaster

    IPv4 and IPv6 IP addresses are handled the same so that is just some sort of coincidental thing and is not related to the root cause directly.  It may be some indirect thing caused by the direct cron itself.  Typically the things that are blocked in direct Cron jobs are:  wget or HEAD Requests.

    UPDATE 3-9-2015 – the confirmed working solution is here:  http://forum.ait-pro.com/forums/topic/blocking-of-my-own-ipv6-server-address/#post-19161

    [troubleshooting steps removed – a working solution is in the link above]

    #19149
    Schneider
    Participant

    Hmm, now that I rechecked my cron job I think BPS is perfectly right. Here is the URL from the cron-job:  http://my.domain/wp-cron.php?1234567890987654321&action=wysija_cron&process=all

    The funky thing is that the id after the ‘?’ is identical to the one in my cron job. The only difference is the ‘silent=1’ part. The full IPv6 ip is 2600:3c03::f03c:91ff:fe6e:bde4. This is from looking up that IP:

    DNS Traversal

    Action Host Zone
    Starting at b.root-servers.net. [2001:500:84::b] .
    Referred to b.ip6-servers.arpa. [2001:500:86::86] ip6.arpa
    Referred to sec1.apnic.net. [2001:dc0:2001:a:4608::59] 0.6.2.ip6.arpa
    Referred to ns1.linode.com. [2600:3c00::a] 3.0.c.3.0.0.6.2.ip6.arpa

    DNS Results

    ns1.linode.com. [2600:3c00::a] says:

    Name Type TTL Value
    No name server returned any records for this request.

    I am worried now – maybe someone broke into my system?

    #19151
    AITpro Admin
    Keymaster

    wysija newsletters / MailPoet did have a major security vulnerability a while back, but if you have upgraded to a current version then those security vulnerabilities no longer exist / have been fixed.  I don’t see anything that indicates that you system was broken into.  I will scan your site and see if I find anything unusual or suspicious.  So far I do not see anything suspicious or unusual.

    #19152
    Schneider
    Participant

    Ok, I commented out those two lines and now the error does not appear in the log file. I switched back to IPv6 and manually triggered the cron job => no error.

    Yes, I immediately upgraded to the newest version after they have been released. Could still be possible that it was hacked – but so far I have noticed nothing. I was just wondering where the additional parameter ‘silent=1′ comes from and but maybe my hosting company adds this by default.

    #19154
    AITpro Admin
    Keymaster

    UPDATE 3-9-2015 – The complete working solution is here:  http://forum.ait-pro.com/forums/topic/blocking-of-my-own-ipv6-server-address/#post-19161

    ________________________________

    Ok now let’s isolate it down a little further.  Do these manual steps:

    Edit the 2 security filters and remove/delete wget| from the security filters as shown below (And remove the pound sign # from in front of these 2 security filters).:

    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    #19157
    Schneider
    Participant

    Ok, I removed ‘wget’ and now after triggering the cron the error does not pop up again.

    #19161
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    UPDATE:  11-12-2015 – These are the complete Custom Code steps with wget and curl removed/deleted from the BPS code below.  MailPoet uses both wget and curl crons and makes HEAD Requests.

    Other Known MailPoet issue/problem and solution:
    admin-ajax.php Widget Form blocked:  http://forum.ait-pro.com/forums/topic/bps-pro-preventing-mailpoet-newsletter-sign-up-form-from-working-exclude/#post-27000

    1. Copy the modified code below (wget and curl have been removed/deleted) to this BPS Root Custom Code text box:  CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS

    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker. 
    # Use BPS Custom Code to add or remove user agents temporarily or permanently from the 
    # User Agent filters directly below or to modify/edit/change any of the other security code rules below.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|python|nikto|scan|java|winhttp|clshttp|loader) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|python|nikto|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR] 
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE BPS QUERY STRING EXPLOITS

    2. Copy this modified REQUEST METHODS FILTERED .htaccess code below (HEAD has been removed/deleted) to this BPS Root Custom Code text box:  CUSTOM CODE REQUEST METHODS FILTERED
    3. Click the Save Root Custom Code button.
    4. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    BPS Pro 11.6+ & BPS free .53.2+
    You may see this code or the 11.5+/.53.1+ code in your root htaccess file.  The code does the same exact thing and is whitelisted in the same exact way.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    BPS Pro 11.5+ & BPS free .53.1+

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ - [R=405,L]

    BPS Pro 11.4|BPS free .53 and lower versions

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #19162
    Schneider
    Participant

    Thanks for your help – have done so.

    #21387
    FGL87
    Participant

    I’m experiencing the exact same problem as TS, but these steps didn’t work. Obviously I also removed the “wget” part from the filters.
    The log still shows: Could anyone please explain how I can stop BPS from blocking the mailpoet cron?

    [403 GET / HEAD Request: 9 maart 2015 - 12:50]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 178.79.184.115
    Host Name: li353-115.members.linode.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-cron.php?67e7200a1fd78268fcb590237155051f&action=wysija_cron&process=all&silent=1
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0
    #21390
    AITpro Admin
    Keymaster

    Do these troubleshooting steps and let me know if the issue/problem is still occurring.

    http://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button. See Custom Code Note if doing this step works.
    2. On the Security Modes page, click the wp-admin Folder BulletProof Mode Deactivate button.  See Custom Code Note if doing this step works.

    #21391
    FGL87
    Participant

    Thanks, it seems I might have had to wait a little longer. The time stamps in the log aren’t in sync with the cron. Messages aren’t popping up in the logs anymore. Great!

    #21392
    AITpro Admin
    Keymaster

    Yep, the BPS log files are plain text log files and not dynamic.  They are the same as your Server log files that log static events in chronological order by date/time.

Viewing 15 posts - 1 through 15 (of 22 total)
  • You must be logged in to reply to this topic.