CyrusOne Hosting – Plugin Firewall needs to be turned Off

Home Forums BulletProof Security Pro CyrusOne Hosting – Plugin Firewall needs to be turned Off

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #16729
    merlin
    Participant

    Hi There.

    Here are my whitelist rules

    /go_pricing/assets/js/go_pricing_scripts.js, /js/mediaelementjs/mediaelement-and-player.min.js, /prettyphoto/js/jquery.prettyPhoto.js

    I have confirmed they are in the .htaccess file once the firewall has been turned on. Yet these plugins are still being blocked and my site is broken. Why?

    thanks
    Merlin

    #16731
    AITpro Admin
    Keymaster

    Post a link to your website so I can scan it remotely.
    Post your Plugin Firewall .htaccess code from your Plugin Firewall .htaccess file.
    Check your BPS Pro Security Log and post any/all security log entries related to blocked plugins.

    #16734
    merlin
    Participant

    http://www.xplaytechcasinos.com

    before you ask for my .htaccess here it is.. ive just removed IP’s

    # BEGIN WHITELIST: Frontend Loading Website Plugin scripts/files
    SetEnvIf Request_URI "/bulletproof-security/400.php$" whitelist
    SetEnvIf Request_URI "/bulletproof-security/403.php$" whitelist
    SetEnvIf Request_URI "/go_pricing/assets/js/go_pricing_scripts.js$" whitelist
    SetEnvIf Request_URI "/js/mediaelementjs/mediaelement-and-player.min.js$" whitelist
    SetEnvIf Request_URI "/prettyphoto/js/jquery.prettyPhoto.js$" whitelist
    # END WHITELIST
    #
    # FORBID REMOTE ACCESS TO THESE PLUGIN FILE TYPES FROM ANYONE EXCEPT YOU
    # Whitelist Exceptions: Payment Gateway Provider domain names and/or Whitelisted Plugin scripts/files ONLY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|txt|vb|vbe|vbs|war|ws|wsf|xhtml|z|zip)$">
    Order Allow,Deny
    Allow from env=whitelist
    Allow from xplaytechcasinos.com
    Allow from xxx
    # BEGIN PUBLIC IP
    Allow from xxx
    # END PUBLIC IP
    </FilesMatch>

    2 entries from security log

    [403 GET / HEAD Request: August 13, 2014 9:30 pm]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 108.213.94.121
    Host Name: 108-213-94-121.lightspeed.irvnca.sbcglobal.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 108.213.94.121
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.xplaytechcasinos.com/
    REQUEST_URI: /wp-content/plugins/prettyphoto/js/jquery.prettyPhoto.js
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
    
    [403 GET / HEAD Request: August 13, 2014 9:30 pm]
    Event Code: PFWR-PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 108.213.94.121
    Host Name: 108-213-94-121.lightspeed.irvnca.sbcglobal.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 108.213.94.121
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.xplaytechcasinos.com/
    REQUEST_URI: /wp-content/plugins/go_pricing/assets/js/go_pricing_scripts.js
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
    #16738
    AITpro Admin
    Keymaster

    Ok I see the problem.

    Using Google Developer Tools I see these 403 errors below:

    This plugin script is throwing off the cURL scanner since it is using “plugins” twice in its path naming convention, which is of course a very bad practice to use, just like you would not use “wp-content” anywhere in a plugin path naming convention.

    /plugins/go_pricing/assets/plugins/js/mediaelementjs/mediaelement-and-player.min.js
    Failed to load resource: the server responded with a status of 403 (Forbidden) http://www.xplaytechcasinos.com/wp-content/plugins/go_pricing/assets/plugins/js/mediaelementjs/mediaelement-and-player.min.js
    Failed to load resource: the server responded with a status of 403 (Forbidden) http://www.xplaytechcasinos.com/wp-content/plugins/prettyphoto/js/jquery.prettyPhoto.js
    Failed to load resource: the server responded with a status of 403 (Forbidden) http://www.xplaytechcasinos.com/wp-content/plugins/go_pricing/assets/js/go_pricing_scripts.js
    Uncaught TypeError: undefined is not a function (index):570

    This is how you can compensate for what I consider to be a mistake in using “plugins” in the path naming convention in the go pricing plugin.  Overwrite or delete your current Plugin Firewall whitelist rules and add these 2 whitelist rules below, click the Save Whitelist Options button and activate the Plugin Firewall again.

    /go_pricing/assets/plugins/js/(.*).js, /prettyphoto/js/jquery.prettyPhoto.js
    #16746
    merlin
    Participant

    still not working…

    # BEGIN WHITELIST: Frontend Loading Website Plugin scripts/files
    SetEnvIf Request_URI "/bulletproof-security/400.php$" whitelist
    SetEnvIf Request_URI "/bulletproof-security/403.php$" whitelist
    SetEnvIf Request_URI "/go_pricing/assets/plugins/js/(.*).js$" whitelist
    SetEnvIf Request_URI "/prettyphoto/js/jquery.prettyPhoto.js$" whitelist
    # END WHITELIST
    #16749
    AITpro Admin
    Keymaster

    Oops try these rules instead.  It may be that another method may need to be used to compensate for the go pricing plugin mistake, but try these rules and see if they work first.

    /go_pricing/assets/(.*).js, /prettyphoto/js/jquery.prettyPhoto.js
    #16751
    merlin
    Participant

    No luck… all are still 403, its like the .htaccess file is being read incorrectly

    #16753
    AITpro Admin
    Keymaster

    Yes, seems like a possibility.  Try something simple first:

    Click the Deactivate button to delete the Plugin Firewall .htaccess file and then click the Save Whitelist Options button and activate the Plugin Firewall again. If this does not work then create a temporary Admin login to this website and send the login directly to edward [at] ait-pro [dot] com.

    #16760
    merlin
    Participant

    I’ve tried it, no go

    its 2 am here now, I’m going to have to leave the FW off and get some shut eye.
    i will look at this again in the morning.
    thanks for trying… so frustrated

    #16764
    AITpro Admin
    Keymaster

    Yeah, this is probably something complicated.  Normally Plugin Firewall issues/problems are very simple to fix.  I imagine the source of the problem is going to be with the Go – Responsive Pricing & Compare Tables plugin, but it could be something else.  So send Ed a login and he’ll figure out what is going on and fix it.

    #16794
    merlin
    Participant

    Hi Again

    I have installed BPS onto another test site and the same issue is happening.
    http://www.sablackjack.co.za

    I have whitelisted yet its returning 403 when i try access it directly
    /ultimate-tables/js/jquery.dataTables.js

    There is an important point about the hosting. It uses some sorting of caching. By this I mean all site on a central server, they are then pushed to front-end hosts.

    In thoery this should make no difference as when the BPS FW is off the site works fine after the front-end cache has been updated and then blocks all plugins once the BPS FW has been turned on and the the front-end cache reset.

    Can you think of anything that could stop it working in this scenario.

    regards
    Merlin

    #16795
    merlin
    Participant

    I have spoken to the hosting company and they told me that the .htaccess file that is created by BPS is cloned exactly to the front end host.

    #16811
    AITpro Admin
    Keymaster

    Hmm interesting.  I have never heard of this before:  “…they told me that the .htaccess file that is created by BPS is cloned exactly to the front end host” so I checked your Host:  CyrusOne and see that they offer this Cloud service:  The Sky for the Cloud.

    Since the Plugin Firewall .htaccess file is actually “working” meaning that when you turn it on or off it does have an effect then what I am thinking is that something like this scenario is occurring:  Your site is behind a Proxy or Firewall or some other Cloud feature and the IP address that the Plugin Firewall is seeing and creating for your website/Server is not the correct website/Server IP address.  In this scenario the HTTP_X_FORWARDED_FOR IP address that is being seen is not correct or additional IP addresses need to be added using the BPS Pro Plugin Firewall Additional Whitelist tools.

    The IP address I see in DNS for this website: sablackjack.co.za is: 192.185.163.101.  Is this the IP address you are seeing in your Plugin Firewall .htaccess file?

    The general format of the field is:
    X-Forwarded-For: client, proxy1, proxy2

    http://en.wikipedia.org/wiki/X-Forwarded-For

    #16812
    merlin
    Participant

    So here is why its never gonna work 🙁

    Hi Warren:
    Again, I’m sorry about the confusion surrounding this, I wasn’t in the office yesterday so I didn’t catch it.

    Basically what happens when a site is called through the RPC (the caching script) is that the backend server runs the PHP coding and then the result is cached on the front end. No PHP or .htaccess files themselves are actually ever cached. So say the cache on your website testwebsite.com has just been cleared and I request it from IP 1.1.1.1. Because no cache exists on the server for that domain, it’s going to ask for a copy from the backend server and show that IP 1.1.1.1 is requesting it. Now, if my IP (1.1.1.1) is set to say a deny all directive in .htaccess, because it reaches the backend (due to no cache existing) it’s going to refuse to serve me the page.

    However, if cache DOES exist. the front end server is going to serve the site from cache and not run the .htaccess file because it never reaches the backend. We realize this is sort of a catch for many people and do have it in our development pipeline to offer the ability to add things to the front end .htaccess, however I don’t have an exact ETA of when that would be rolled out.

    #16814
    AITpro Admin
    Keymaster

    Well the good news is that the way your Host is doing things your Plugins/plugin files are already protected by that Server configuration. 🙂

    The most important / essential BPS Pro Security features all work so no big deal really.  Just turn the Plugin Firewall Off. 😉

Viewing 15 posts - 1 through 15 (of 17 total)
  • You must be logged in to reply to this topic.