CMS Commander – 403 error, wp-admin login redirect

Home Forums BulletProof Security Pro CMS Commander – 403 error, wp-admin login redirect

This topic contains 9 replies, has 2 voices, and was last updated by  AITpro Admin 7 months, 1 week ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #34067

    Terry Chadban
    Participant

    Sorry if this is obvious to the experts, but I am a noob struggling to make the transition from iThemes Security to BPS Pro.

    I have whitelisted both my own IP address, and that of CMS Commander, in Plugin Firewall Additional Whitelist Tools, but keep getting the following security error:

    [403 GET Request: September 16, 2017 - 4:04 pm]
    BPS Pro: 13.3.1
    WP: 4.8.1
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 27.96.200.58
    Host Name: 27-96-200-58-cpe.spintel.net.au
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://cmscommander.com/wp-admin/index.php
    REQUEST_URI: /wp-admin/?auto_login=1&username=q9WIqwQWSkx&cmsc_goto=https://thefurnituresurgeon.com.au//wp-admin/index.php&signature=bb6aBX%2FtR5FkdAxPJo3JJWD9osaSUoCIw56acx0IeWXt6RVDcnmehysmMw1IJgZH1yQq698RQ0l%2BGT7TODMoqueKI3l2M24lxRzqnyhAfeuOmLa5hxP420eVo57uLsG%2FMGr1rMu4LSMn%2FFjj%2FbMk2y%2BuG25t3jQ220TSfmE4J0o%3D&message_id=521
    QUERY_STRING: auto_login=1&username=q9WIqwQWSkx&cmsc_goto=https://thefurnituresurgeon.com.au//wp-admin/index.php&signature=bb6aBX%2FtR5FkdAxPJo3JJWD9osaSUoCIw56acx0IeWXt6RVDcnmehysmMw1IJgZH1yQq698RQ0l%2BGT7TODMoqueKI3l2M24lxRzqnyhAfeuOmLa5hxP420eVo57uLsG%2FMGr1rMu4LSMn%2FFjj%2FbMk2y%2BuG25t3jQ220TSfmE4J0o%3D&message_id=521
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36

    and I keep getting a 403 error whenever I try to use CMS Commander to go to the wp-admin page. I can access the wp-admin page manually, so it has to be settings in BPS pro forbidding me. Any help greatly appreciated, and yes, I have searched the archives, and RTFM!

    Terry

    #34070

    AITpro Admin
    Keymaster

    The wp-admin login redirect Query String is simulating an RFI hacking method.  The Security Log Event Code in the Security Log entry indicated that the problem is caused by the wp-admin htaccess file so I did BPS Pro Troubleshooting step #2 to check and confirm that the problem is only caused by the wp-admin htaccess file.  Do the steps below to whitelist this Request.  Note: This fix will be added to the Setup Wizard AutoFix feature in the next BPS and BPS Pro version releases.

    1. Copy the modified wp-admin htaccess code below to this BPS wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    2. Click the Save wp-admin Custom Code button.
    3. Go to the Security Modes page and click the wp-admin BulletProof Mode Activate button.

    # BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
    # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    #34086

    Terry Chadban
    Participant

    Hi Edward,

    Did that, but still getting the following error message: “Data could not be loaded. Your server sent the following message – ‘403 Forbidden'”.

    Where do I whitelist my own IP address correctly?

    Terry

    #34087

    Terry Chadban
    Participant

    Hi again,

    Just tried to update another website, with the same result, still getting the 403 error. BTW the IP address in the code is mine, which is why I asked about whitelisting it, the autopilot mode is blocking my own IP address!

    Terry

    #34089

    AITpro Admin
    Keymaster

    The error message is not a BPS error message.  I did a google search and did not find that exact error message.  The only similar error messages that I found had to do with Cloud servers and Python.

    Were you able to successfully add the solution above in wp-admin Custom Code?  Where and when did you see that error message?  Please be exactly specific.  The Security Log entry above has to do with the wp-admin htaccess file.  Are you seeing other Security Log entries that have to do with the Plugin Firewall and AutoPilot Mode?  If so, post 1 of those Security Log entries so I can see what you are talking about.

    #34090

    Terry Chadban
    Participant

    Hi Edward,

    Sorry, I didn’t make my self clear enough. The error message is a CMS Commander error, not a BPS one. The exact message is “Data could not be loaded. Your server sent the following message – ‘403 Forbidden'”.

    BPS Pro isn’t showing any errors related to the connection attempt now.

    Yes, the code was added correctly both times, I got the green ‘success’ message both times, and reactivated the WP-ADMIN Bulletproof mode both times. You are thinking it may be a problem at the server?

    Terry

    #34092

    AITpro Admin
    Keymaster

    Ok I’m following you now.  What you need to do at this point is BPS Pro Troubleshooting steps:  1, 2 and 3 to isolate exactly which BPS Pro feature is blocking something in CMS Commander.  Do step #1 and test.  Do step #2 and test.  Do step #3 and test. Let me know the results after you have done the troubleshooting steps.

    #34094

    Terry Chadban
    Participant

    Hi Edward,

    Thanks, I will go through the steps now. MainWP is getting the same ‘403 – Forbidden’ error when I try to use it to access websites, so that narrows it down to a setting in BPS Pro. At least I know that the websites are safe while I am poking around, if it is even locking me out!  🙂

    Terry

    #34095

    Terry Chadban
    Participant

    Hi all,

    Turns out the problem was in the root custom code in 14. This is what I had:

    
    # Protect wp-login.php from Brute Force Login Attacks based on Server Protocol
    # Block automated comment spambots using Server Protocol HTTP/1.0
    # All legitimate humans and bots should be using Server Protocol HTTP/1.1
    RewriteCond %{REQUEST_URI} ^(/wp-login\.php|/wp-comments-post\.php)$
    RewriteCond %{THE_REQUEST} HTTP/1\.0
    RewriteRule ^(.*)$ - [F,L]
    
    # BPS POST Request Attack Protection
    RewriteCond %{REQUEST_METHOD} POST [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-admin/ [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-cron.php [NC]
    # NEVER COMMENT OUT THIS LINE OF CODE BELOW FOR ANY REASON
    RewriteCond %{REQUEST_URI} !^.*/wp-login.php [NC]
    # Whitelist the WordPress Theme Customizer
    RewriteCond %{HTTP_REFERER} !^.*/wp-admin/customize.php [NC]
    # Whitelist XML-RPC Pingbacks, JetPack and Remote Posting POST Requests
    RewriteCond %{REQUEST_URI} !^.*/xmlrpc.php [NC]
    # Whitelist Jetpack JSON POST Request
    RewriteCond %{REQUEST_URI} !^.*/wp-json/jetpack/(.*) [NC]
    # Whitelist Network|Multisite Signup POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-signup.php [NC]
    # Whitelist Network|Multisite Activate POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-activate.php [NC]
    # Whitelist Trackback POST Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-trackback.php [NC]
    # Whitelist Comments POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/wp-comments-post.php [NC]
    # Example 1: Whitelist Star Rating Calculator POST Form Requests
    RewriteCond %{REQUEST_URI} !^.*/star-rating-calculator.php [NC]
    # Example 2: Whitelist Contact Form POST Requests
    RewriteCond %{REQUEST_URI} !^.*/contact/ [NC]
    # Example 3: Whitelist PayPal IPN API Script POST Requests
    RewriteCond %{REQUEST_URI} !^.*/ipn_handler.php [NC]
    RewriteRule ^(.*)$ - [F]
    
    # XML-RPC DDoS & TRACKBACK/PINGBACK PROTECTION
    # Using this code blocks Pingbacks and Trackbacks on your website.
    # You can whitelist your IP address if you use A Weblog Client
    # or want to whitelist an IP address for any other reasons.
    # Example: uncomment #Allow from x.x.x. by deleting the # sign and
    # replace the x's with your actual IP address. Allow from 99.88.77.
    # Note: It is recommended that you use 3 octets x.x.x. of your IP address
    # instead of 4 octets x.x.x.x of your IP address.
    
    <FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
    Order Deny,Allow
    Allow from 27.96.200.
    Deny from all
    </FilesMatch>
    
    # WP AUTHOR ENUMERATION BOT PROBE PROTECTION
    # Rewrites to author=999999 that does not actually exist
    # which results in a standard 404 error. To the hacker bot
    # it appears that this author does not exist without giving
    # any clues that the author does actually exist.
    
    RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L] 

    When I reintroduced the first block and the last two blocks, everything worked fine, so it looks like the problem is in the BPS Post Request Attack Protection code. Since I don’t use either Jetpack or Multisites, I am happy to leave this code out for the time being. Thanks for your help.

    Terry

    #34097

    AITpro Admin
    Keymaster

    The POST Attack Protection Bonus Custom Code is going to be created as a standard feature in the next BPS Pro version.  It is going to be named POST Request Protection (PRP).  Currently the POST Attack Protection Bonus Custom Code has 2 major issues:  #1. Folks are not aware that they need to create additional whitelist rules in the POST Attack Protection Bonus Custom Code when a legitimate POST Request is blocked.  The process is too complex for the average person to figure out.  #2.  The POST Attack Protection Bonus Custom Code needs to be incorporated into the WP REWRITE LOOP block of code in order for whitelisting to work correctly at all URI|URL rewriting levels.  Also too complex for the average person to figure out.

    The new POST Request Protection (PRP) feature will either automatically create whitelist rules like Plugin Firewall AutoPilot Mode currently does and/or display a message (similar to HPF) with exact help info on what needs to be done to whitelist X.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.