Topic: Jetpack Site Uptime Monitor – 403 error

Jetpack Site Uptime Monitor – 403 error

Tagged: 403 error, Jetpack

This topic has 13 replies, 5 voices, and was last updated 8 years, 4 months ago by MMBCB.

Viewing 14 posts - 1 through 14 (of 14 total)

Author

Posts
June 3, 2014 at 2:59 am #15397
David T
Participant
Just installed BPS pro and Security Log indicates that Jetpack Monitor is being blocked. Can you advise the best way to whitelist this?
```
[403 GET / HEAD Request: 3 June, 2014 - 9:16 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 10.168.1.23
Host Name: 10.168.1.23
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 192.0.84.33
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /
QUERY_STRING: 
HTTP_USER_AGENT: jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)
```
June 3, 2014 at 3:16 am #15398
Schneider
Participant

David, first thing is always look at the IP where the bot came from.

If you google “Whois 10.168.1.23” then the first result is this page:

http://ip.domaintasks.com/10.168.1.22

you can see that 10.168.1.22 is a private IP and not a valid IP where a valid bot would come from.

IMHO BPS is working without any flaw here – you will see lots of such entries where the user agent string looks valid but this is what the bad guys always do – make those request look as valid as possible.

Just check the IPs with a whois lookup and you see if it is valid or not. My 2 cents.
June 3, 2014 at 3:31 am #15399
David T
Participant

Hi Schneider, thanks for your reply. Jetpack Monitor reported site down as soon as BPS Pro was installed so I’m sure it’s blocking. With regard to ip, I assumed 10.168.1.22 was a private ip at my hosting co if firewall is performing NAT. I don’t want to whitelist this ip so any other workaround would be appreciated.
June 3, 2014 at 7:38 am #15400
AITpro Admin
Keymaster
UPDATE: BPS Pro 13+ and BPS 2.0+ versions have a feature called: Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup) that automatically creates plugin and theme whitelist rules and automatically sets up and cleans up caching plugins htaccess code.

UPDATE: The Jetpack Uptime Monitor makes a HEAD Request to check the site uptime. To allow the HEAD Request do the Custom Code steps below.

1. Copy this modified REQUEST METHODS FILTERED .htaccess code below to this BPS Custom Code text box CUSTOM CODE REQUEST METHODS FILTERED:
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

Jetpack Plugin Users Important Note: You can either choose to use the code below that whitelist’s/allows the Jetpack User Agent or you can use the code that whitelist’s/allows all HEAD Requests by using the code which has the last 2 lines of code commented out with # signs.

BPS Pro 11.6+ & BPS free .53.2+
You may see this code or the 11.5+/.53.1+ code in your root htaccess file. The code does the same exact thing and is whitelisted in the same exact way.
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
```
Jetpack plugin users: whitelist the Jetpack User Agent
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
```
BPS Pro 11.5+ & BPS free .53.1+
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ - [R=405,L]
```
Jetpack plugin users: whitelist the Jetpack User Agent
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and copy
# this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
# text box: CUSTOM CODE REQUEST METHODS FILTERED.
# See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [R=405,L]
```
BPS Pro 11.4|BPS free .53 and lower versions
```
# REQUEST METHODS FILTERED
# If you want to allow HEAD Requests use BPS Custom Code and 
# remove/delete HEAD| from the Request Method filter.
# Example: RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
# The TRACE, DELETE, TRACK and DEBUG Request methods should never be removed.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
```
____________________________
Sounds like you are using this XML-RPC protection Bonus Custom Code in the link below. You can either whitelist IP addresses or Host names or just not use the Bonus Custom Code. The choice is up to you.

http://forum.ait-pro.com/forums/topic/wordpress-xml-rpc-ddos-protection-protect-xmlrpc-php-block-xmlrpc-php-forbid-xmlrpc-php/
June 3, 2014 at 8:14 am #15401
David T
Participant
Hi, not using the XML-RPC protection Bonus Custom Code, hadn’t got around to adding it. I’m also getting a PHP error when I enable/disable Jetpack Monitor. Not sure if this separate or related…
```
[03-Jun-2014 14:52:22 UTC] PHP Warning:  call_user_func_array() expects parameter 1 to be a valid callback, function 'vaultpress_jetpack_more_info_connected' not found or invalid function name in /var/sites/r/mywebsite.com/public_html/wp-includes/plugin.php on line 470
```
June 3, 2014 at 8:24 am #15402
AITpro Admin
Keymaster

Oops as Schneider pointed out the problem is that 10.168.1.23 is not a valid Public IP address and that is why the problem is occurring. My coffee had not kicked in yet. 😉 A 10. IP address is a Private IP address that is intended to be used internally and CANNOT be used externally/publicly. Jetpack cannot connect to a Private IP address because that is not allowed/not possible to do. The php error is most likely also going to be because of the 10. Private IP address as well or maybe it is some other issue with Jetpack that you would need to ask the Jetpack folks about.

Typically when a 10. IP address shows up as the Remote Address for the site this is a Routing configuration problem that your Host would need to corrrect at the Server, Firewall or Proxy. Contact your Host about this and you can refer them to this Forum Topic.
June 3, 2014 at 8:30 am #15404
AITpro Admin
Keymaster

Also one thing that we have not made crystal clear is that BPS logs all 403 errors, but a 403 error may not necessarily be caused by BPS. This information has been added in the next versions of BPS.
June 3, 2014 at 8:54 am #15406
AITpro Admin
Keymaster

Also you need to deactivate the Plugin Firewall until the 10. Private IP address isssue is resolved. The Plugin Firewall is not intended to be used with Private IP addresses for a publicly hosted website and is ONLY intended to be used with Public IP addresses for a publicly hosted website. The Plugin Firewall will work with Private IP addresses (XAMPP, MAMP, LAMP, etc), but these site types are development/internal site types that are NOT hosted publicly for public visitors to that site.
June 5, 2014 at 2:28 am #15434
David T
Participant

As requested I contacted my hosting company, here’s the reply:

10.168.1.23 is the internal (private network) IP of one of our load balancers. The IP of the client making the request is in the HTTP_X_FORWARDED_FOR header: 192.0.84.33. This is a false positive in the plugin, so probably something you would ignore.

Looks like BPS Pro Plugin Firewall may not work with my particular hosting setup. Other plugins have the ability to work behind a proxy (i.e Limit Login Attempts) – is this not possible with BPS Pro?
June 5, 2014 at 6:11 am #15436
AITpro Admin
Keymaster

http://en.wikipedia.org/wiki/X-Forwarded-For

X-Forwarded-For: client, proxy1, proxy2

The Plugin Firewall has additional whitelist tools so that you can add and whitelist multiple IP addresses. Click on the Additional Whitelist Tools accordion tab, use the “Allow from” Whitelist rules tool, enter: Allow from 10.168. (or you may need to enter Allow from 10. if the IP address changes frequently or there is a large pool of IP addresses), click the Save Additional Allow from Rules button, click the Firewall Whitelist Tools accordion tab, click the Save Whitelist Options button and activate the Plugin Firewall again.

I Googled around and did not find any search results for Jetpack X-Forwarded-For so most likely there is not a problem with this. So the chances are good that Jetpack will be able to connect successfully once you whitelist your 10. Private IP address.
June 5, 2014 at 2:15 pm #15451
rafaelmagic
Participant

It works behind a proxy. I have Varnish installed. Works great.

The problem might be that Apache is seeing the internal (load balancer) IP as the external IP. Your host should have a code so that X-Forward = real ip. I think their is a apache module called mod-rpaf. That might fix it.
http://www.stderr.net/apache/rpaf/

I have seen code that you can place in the wp-config.php and a wp-plugin.
https://www.openshift.com/forums/openshift/how-to-fix-incorrect-client-ip-in-wordpress-behind-proxy

Maybe I am over thinking?
December 10, 2015 at 9:13 pm #27185
MMBCB
Participant
[Topic has been merged into this relevant Topic]
This is still in my custom code, but I am getting the 403 error again with the Jetpack IP. Could not find my post on the forum, but here is the old post on wp to refresh your memory: https://wordpress.org/support/topic/hostname-5?replies=12
```
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F]
#RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
#RewriteRule ^(.*)$ - [R=405,L]
```
Here is the log:
```
[405 HEAD Request: December 11, 2015 - 12:05 am]
Event Code: BFHS-HEAD - HEAD Request Blocked
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 192.0.102.40
Host Name: 192.0.102.40
SERVER_PROTOCOL: HTTP/1.0
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: HEAD
HTTP_REFERER: 
REQUEST_URI: /
QUERY_STRING: 
HTTP_USER_AGENT: jetmon/1.0 (Jetpack Site Uptime Monitor by WordPress.com)
```
December 10, 2015 at 11:46 pm #27192
AITpro Admin
Keymaster

@ MMBCB – Yes that is the correct whitelist method for the Jetpack uptime monitor. Do all of the steps again in this forum topic reply to make sure the code is also actually in your root htaccess file as well as Custom Code: http://forum.ait-pro.com/forums/topic/jetpack-site-uptime-monitor-403-error/#post-15400
December 11, 2015 at 12:49 am #27193
MMBCB
Participant

Correct, I did not complete that step.
Author

Posts

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.

BulletProof Security Forum

Jetpack Site Uptime Monitor – 403 error

Search Forums

Topic Tags