Is bulletproof blocking all js files from loading in admin?

Home Forums BulletProof Security Free Is bulletproof blocking all js files from loading in admin?

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #38875
    Nicki
    Participant

    I am having a bit of a nightmare with 403 errors with all WordPress websites I run on my VPS server. I have been struggling with modsecurity for months and now ‘think’ I have the WordPress exclusions rules set installed on my server. The rules can be found in the cpanel modsecurity tools rules list so I believe that is working. It has made the websites admin areas run a lot faster, but I am still experiencing many 403 errors when loading resources on admin pages, mostly edit post/page screens, that seem to apply to js files being loaded from plugins and even from the wp-includes folder. This obviously breaks things.

    My question is, do you think this is bulletproof blocking these files, or am I still suffering issues with modsecurity?

    I was going to add some plugin skip/bypass rules in bulletproofs custom code, but on looking at the log files it seems to be all js files from random plugins that are being blocked and it seems ridiculous adding rules for all plugins especially as I would have to do it on all websites.

    I am adding an example of errors from the BPS security log in case you can see something that I am missing. These errors are all from loading one page for editing. I wonder if you have an ideas to point me in the right direction about how I can effectively whitelist all js files.

    Thanks for any insight.

    [403 GET Request: April 24, 2020 - 5:12 pm]
    BPS: 3.9
    WP: 5.4
    Event Code: PSBR-HPRA
    Solution: /forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: 78-32-66-40.static.aquiss.com
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER: wp-admin/post.php?post=1038&action=edit&lang=de
    REQUEST_URI: /wp-content/plugins/advanced-custom-fields-pro/pro/assets/js/acf-pro-input.min.js?ver=5.8.9
    QUERY_STRING: ver=5.8.9
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:75.0) Gecko/20100101 Firefox/75.0
    
    [403 GET Request: April 24, 2020 - 5:12 pm]
    BPS: 3.9
    WP: 5.4
    Event Code: PSBR-HPRA
    Solution: /forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: 78-32-66-40.static.aquiss.com
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER: /wp-admin/post.php?post=1038&action=edit&lang=de
    REQUEST_URI: /wp-content/plugins/wp-optimize/js/wposmush-3-0-19.min.js?ver=3.0.19
    QUERY_STRING: ver=3.0.19
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:75.0) Gecko/20100101 Firefox/75.0
    
    [403 GET Request: April 24, 2020 - 5:12 pm]
    BPS: 3.9
    WP: 5.4
    Event Code: WPADMIN-SBR
    Solution: /forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: 78-32-66-40.static.aquiss.com
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER: /wp-admin/post.php?post=1038&action=edit&lang=de
    REQUEST_URI: /wp-includes/js/jquery/ui/datepicker.min.js?ver=1.11.4
    QUERY_STRING: ver=1.11.4
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:75.0) Gecko/20100101 Firefox/75.0
    
    [403 GET Request: April 24, 2020 - 5:12 pm]
    BPS: 3.9
    WP: 5.4
    Event Code: WPADMIN-SBR
    Solution: /forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: 78-32-66-40.static.aquiss.com
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER: /wp-admin/post.php?post=1038&action=edit&lang=de
    REQUEST_URI: /wp-includes/js/underscore.min.js?ver=1.8.3
    QUERY_STRING: ver=1.8.3
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:75.0) Gecko/20100101 Firefox/75.0
    
    [403 GET Request: April 24, 2020 - 5:12 pm]
    BPS: 3.9
    WP: 5.4
    Event Code: WPADMIN-SBR
    Solution: /forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: 78-32-66-40.static.aquiss.com
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER: /wp-admin/post.php?post=1038&action=edit&lang=de
    REQUEST_URI: /wp-includes/js/jquery/ui/sortable.min.js?ver=1.11.4
    QUERY_STRING: ver=1.11.4
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:75.0) Gecko/20100101 Firefox/75.0
    
    [403 GET Request: April 24, 2020 - 5:12 pm]
    BPS: 3.9
    WP: 5.4
    Event Code: PSBR-HPRA
    Solution: /forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: 78-32-66-40.static.aquiss.com
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER: /wp-admin/post.php?post=1038&action=edit&lang=de
    REQUEST_URI: /wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/jquery-ui-timepicker-addon.min.js?ver=1.6.1
    QUERY_STRING: ver=1.6.1
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:75.0) Gecko/20100101 Firefox/75.0
    
    [403 GET Request: April 24, 2020 - 5:12 pm]
    BPS: 3.9
    WP: 5.4
    Event Code: PSBR-HPRA
    Solution: /forums/topic/security-log-event-codes/
    REMOTE_ADDR: GDPR Compliance On
    Host Name: 78-32-66-40.static.aquiss.com
    SERVER_PROTOCOL: HTTP/2.0
    HTTP_CLIENT_IP: GDPR Compliance On
    HTTP_FORWARDED: GDPR Compliance On
    HTTP_X_FORWARDED_FOR: GDPR Compliance On
    HTTP_X_CLUSTER_CLIENT_IP: GDPR Compliance On
    REQUEST_METHOD: GET
    HTTP_REFERER: /wp-admin/post.php?post=1038&action=edit&lang=de
    REQUEST_URI: /wp-content/plugins/sitepress-multilingual-cms/res/js/icl-admin-notifier.js?ver=4.3.12
    QUERY_STRING: ver=4.3.12
    HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:75.0) Gecko/20100101 Firefox/75.0
    #38880
    AITpro Admin
    Keymaster

    Your forum topic was sent to pending by the new version of BuddyPress. I keep meaning to figure out how to disable this new functionality in BuddyPress.  I had to strip out the URL Schemes to approve your forum topic.  This may be a problem with the BPS Pro Plugin Firewall.  Deactivate the BPS Pro Plugin Firewall and let me know if the 403 errors stop.  ModSecurity is more trouble than it is worth.  I highly recommend that you do not use ModSecurity.  Unfortunately, whitelisting in ModSecurity is extremely difficult and time consuming as you probably have already found out.  If you have finally got ModSecurity working then disregard my recommendation.  Post a URL/link to your website so I can check if you are minifying/compressing/combining js scripts. js minification/compression/combining breaks the BPS Pro Plugin Firewall and many things in many other plugins and themes.

    #38881
    Nicki
    Participant

    Ah, I seem to have managed to post in the wrong forum as I have the free version of BPS, so sorry about that. Could have sworn I swapped over when I realised.

    So I don’t have the BPS firewall. I guess some websites may have a minifying plugin on there, this is one website with minimal plugins cannedsunlight.com, this is one that is more complicated and suffers with 403 errors: everythingdragonshop.com

    It’s a shame that modsecurity doesn’t work well with WordPress. My VPS was upgraded recently and before that it had no problems with modsecurity installed. I’m worried about security without it.

    #38882
    AITpro Admin
    Keymaster

    Oh I was the one who moved your forum topic from the BPS free forum to the BPS Pro forum.  I thought you had BPS Pro.  I’ll move it back to the BPS free forum after posting this forum reply.

    Try doing the BPS free troubleshooting steps and let me know if any of the BPS security features are causing these 403 errors > https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting.  The BPS Security Log logs all 403 errors whether or not BPS is causing 403 errors.  So the 403 errors could be caused by ModSecurity.  You can confirm the 403 errors are being caused by ModSecurity by turning Off BPS Security Logging on the Security Log page.  What you should see if ModSecurity is causing these 403 errors is a generic ModSecurity 403 error page.

    ModSecurity is great if you have a VPS or Dedicated server and can afford to spend the time required to add ModSecurity whitelisting rule.  ModSecurity is a nightmare on Shared web hosting. 😉  ModSecurity has some built-in auditing and logging tools, but they are difficult to implement and even more difficult to understand.  ModSecurity is definitely not for the faint of heart.  😉  I suggested to the folks who are working on ModSecurity that it would be extremely useful to create a ModSecurity panel interface where someone could just click buttons vs trying to decipher the cryptic audit and log entries that ModSecurity generates.  I was informed by the folks that are working on ModSecurity that they are volunteers.  So I guess that means they have time to continue to add additional security rules for ModSecurity, but don’t have to time to make ModSecurity user friendly and easy to use.  LOL

     

    #38883
    AITpro Admin
    Keymaster

    You can also eliminate ModSecurity CRS relatively quickly by changing this value/setting: SecRuleEngine Off in the /apache/conf/extra/modsecurity.conf file.  There are 3 possible values: On, Off or DetectionOnly. I’m pretty sure you would need to reboot your VPS server in order for this value/setting to take effect.

    #39061
    Nicki
    Participant

    I thought I would update this post as I have finally got to the bottom of the recurring 403 errors for WordPress websites on my VPS. After many days spent troubleshooting this it turns out that it is not bulletproof, or mod_security at all, but another apache module mod_evasive that is causing the problem.

    Turning off bulletproof for a test website and mod_security for the whole server didn’t stop the problem. The error in the logs was vague as it was listed as just ‘error’ with no codes, or mod_security reference, so my instincts were that it was something else. Mod_evasive is used to help prevent DDOS attacks and from what I can see the default configuration for mod_evasive is too strict for the amount of connections that WordPress makes to the server to load assets etc, especially on admin pages. I had very few WordPress sites that were simple enough to not be affected. Once I disabled this module the problem went away. I haven’t had time to test different settings in the configuration, but it is possible to whitelist ip addresses for WordPress Admins and the server itself which can stop the problem. But if like me you host multiple WordPress installs for clients and it’s impossible to whitelist all admins, then the options are to play with the configuration (number of page hits per second before an ip is blocked etc) until you make it acceptable, or uninstall the module.

    I hope this helps someone else struggling with this problem.

    #39062
    AITpro Admin
    Keymaster

    Thanks for posting the cause of the issue/problem.

    mod_evasive is a 3rd party Apache module and not a module that Apache created. mod_security and mod_security2 are also 3rd party Apache modules. I am not familiar with mod_evasive, but did a quick Google search and mod_evasive is configured in the mod_evasive.conf file.

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.