Jetpack Site Uptime Monitor – 403 error

Home Forums BulletProof Security Pro Jetpack Site Uptime Monitor – 403 error

Tagged: ,

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • #15397
    David T
    Participant

    Just installed BPS pro and Security Log indicates that Jetpack Monitor  is being blocked.  Can you advise the best way to whitelist this?

    [403 GET / HEAD Request: 3 June, 2014 - 9:16 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 10.168.1.23
    Host Name: 10.168.1.23
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 192.0.84.33
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /
    QUERY_STRING: 
    HTTP_USER_AGENT: jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)
    
    #15398
    Schneider
    Participant

    David, first thing is always look at the IP where the bot came from.

    If you google “Whois 10.168.1.23” then the first result is this page:

    http://ip.domaintasks.com/10.168.1.22

    you can see that 10.168.1.22 is a private IP and not a valid IP where a valid bot would come from.

    IMHO BPS is working without any flaw here – you will see lots of such entries where the user agent string looks valid but this is what the bad guys always do – make those request look as valid as possible.

    Just check the IPs with a whois lookup and you see if it is valid or not. My 2 cents.

    #15399
    David T
    Participant

    Hi Schneider, thanks for your reply.  Jetpack Monitor reported site down as soon as BPS Pro was installed so I’m sure it’s blocking.  With regard to ip, I assumed 10.168.1.22 was a private ip at my hosting co if firewall is performing NAT.  I don’t want to whitelist this ip so any other workaround would be appreciated.

    #15400
    AITpro Admin
    Keymaster

    UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

    UPDATE: The Jetpack Uptime Monitor makes a HEAD Request to check the site uptime.  To allow the HEAD Request do the Custom Code steps below.

    1. Copy this modified REQUEST METHODS FILTERED .htaccess code below to this BPS Custom Code text box CUSTOM CODE REQUEST METHODS FILTERED:
    2. Click the Save Root Custom Code button.
    3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

    Jetpack Plugin Users Important Note:  You can either choose to use the code below that whitelist’s/allows the Jetpack User Agent or you can use the code that whitelist’s/allows all HEAD Requests by using the code which has the last 2 lines of code commented out with # signs.

    BPS Pro 11.6+ & BPS free .53.2+
    You may see this code or the 11.5+/.53.1+ code in your root htaccess file.  The code does the same exact thing and is whitelisted in the same exact way.

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    Jetpack plugin users: whitelist the Jetpack User Agent

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    BPS Pro 11.5+ & BPS free .53.1+

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ - [R=405,L]

    Jetpack plugin users: whitelist the Jetpack User Agent

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
    RewriteRule ^(.*)$ - [R=405,L]

    BPS Pro 11.4|BPS free .53 and lower versions

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and 
    # remove/delete HEAD| from the Request Method filter.
    # Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    # The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]

    ____________________________
    Sounds like you are using this XML-RPC protection Bonus Custom Code in the link below.  You can either whitelist IP addresses or Host names or just not use the Bonus Custom Code.  The choice is up to you.

    http://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/

    #15401
    David T
    Participant

    Hi, not using the XML-RPC protection Bonus Custom Code, hadn’t got around to adding it.   I’m also getting a PHP error when I enable/disable Jetpack Monitor.  Not sure if this separate or related…

    [03-Jun-2014 14:52:22 UTC] PHP Warning:  call_user_func_array() expects parameter 1 to be a valid callback, function 'vaultpress_jetpack_more_info_connected' not found or invalid function name in /var/sites/r/mywebsite.com/public_html/wp-includes/plugin.php on line 470
    
    #15402
    AITpro Admin
    Keymaster

    Oops as Schneider pointed out the problem is that 10.168.1.23 is not a valid Public IP address and that is why the problem is occurring.  My coffee had not kicked in yet.  😉  A 10. IP address is a Private IP address that is intended to be used internally and CANNOT be used externally/publicly.  Jetpack cannot connect to a Private IP address because that is not allowed/not possible to do.  The php error is most likely also going to be because of the 10. Private IP address as well or maybe it is some other issue with Jetpack that you would need to ask the Jetpack folks about.

    Typically when a 10. IP address shows up as the Remote Address for the site this is a Routing configuration problem that your Host would need to corrrect at the Server, Firewall or Proxy.  Contact your Host about this and you can refer them to this Forum Topic.

    #15404
    AITpro Admin
    Keymaster

    Also one thing that we have not made crystal clear is that BPS logs all 403 errors, but a 403 error may not necessarily be caused by BPS.  This information has been added in the next versions of BPS.

    #15406
    AITpro Admin
    Keymaster

    Also you need to deactivate the Plugin Firewall until the 10. Private IP address isssue is resolved.  The Plugin Firewall is not intended to be used with Private IP addresses for a publicly hosted website and is ONLY intended to be used with Public IP addresses for a publicly hosted website.  The Plugin Firewall will work with Private IP addresses (XAMPP, MAMP, LAMP, etc), but these site types are development/internal site types that are NOT hosted publicly for public visitors to that site.

    #15434
    David T
    Participant

    As requested I contacted my hosting company, here’s the reply:

    10.168.1.23 is the internal (private network) IP of one of our load balancers. The IP of the client making the request is in the HTTP_X_FORWARDED_FOR header: 192.0.84.33. This is a false positive in the plugin, so probably something you would ignore.

    Looks like BPS Pro Plugin Firewall may not work with my particular hosting setup.  Other plugins have the ability to work behind a proxy (i.e Limit Login Attempts) – is this not possible with BPS Pro?

    #15436
    AITpro Admin
    Keymaster

    http://en.wikipedia.org/wiki/X-Forwarded-For

    X-Forwarded-For: client, proxy1, proxy2

    The Plugin Firewall has additional whitelist tools so that you can add and whitelist multiple IP addresses.  Click on the Additional Whitelist Tools accordion tab, use the “Allow from” Whitelist rules tool, enter:  Allow from 10.168. (or you may need to enter Allow from 10. if the IP address changes frequently or there is a large pool of IP addresses), click the Save Additional Allow from Rules button, click the Firewall Whitelist Tools accordion tab, click the Save Whitelist Options button and activate the Plugin Firewall again.

    I Googled around and did not find any search results for Jetpack X-Forwarded-For so most likely there is not a problem with this. So the chances are good that Jetpack will be able to connect successfully once you whitelist your 10. Private IP address.

     

    #15451
    rafaelmagic
    Participant

    It works behind a proxy. I have Varnish installed. Works great.

    The problem might be that Apache is seeing the internal (load balancer) IP as the external IP. Your host should have a code so that X-Forward = real ip. I think their is a apache module called mod-rpaf. That might fix it.
    http://www.stderr.net/apache/rpaf/

    I have seen code that you can place in the wp-config.php and a wp-plugin.
    https://www.openshift.com/forums/openshift/how-to-fix-incorrect-client-ip-in-wordpress-behind-proxy

    Maybe I am over thinking?

    #27185
    MMBCB
    Participant

    [Topic has been merged into this relevant Topic]
    This is still in my custom code, but I am getting the 403 error again with the Jetpack IP. Could not find my post on the forum, but here is the old post on wp to refresh your memory: https://wordpress.org/support/topic/hostname-5?replies=12

    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ - [R=405,L]

    Here is the log:

    [405 HEAD Request: December 11, 2015 - 12:05 am]
    Event Code: BFHS-HEAD - HEAD Request Blocked
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 192.0.102.40
    Host Name: 192.0.102.40
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: HEAD
    HTTP_REFERER: 
    REQUEST_URI: /
    QUERY_STRING: 
    HTTP_USER_AGENT: jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)
    #27192
    AITpro Admin
    Keymaster

    @ MMBCB – Yes that is the correct whitelist method for the Jetpack uptime monitor.  Do all of the steps again in this forum topic reply to make sure the code is also actually in your root htaccess file as well as Custom Code:  http://forum.ait-pro.com/forums/topic/jetpack-site-uptime-monitor-403-error/#post-15400

    #27193
    MMBCB
    Participant

    Correct, I did not complete that step.

Viewing 14 posts - 1 through 14 (of 14 total)
  • You must be logged in to reply to this topic.