Jetpack SSO – unable to login, locked out

Home Forums BulletProof Security Free Jetpack SSO – unable to login, locked out

Tagged: 

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #33896
    AITpro Admin
    Keymaster

    Email Question:
    I’d be grateful if you could help with the issues I’m having logging into my wordpress account.

    I have a security feature in place where after three failed attempts it locks me out. I’m happy with this but I’m typing in the correct username and password but it tells me it’s incorrect and doesn’t log me in…. I’ve changed the file name with my hosting provider… log in… then change the file name back again but it doesn’t work it still does not allow me to login.

    #33897
    AITpro Admin
    Keymaster

    I checked your website and you have Jetpack installed and are using Jetpack SSO for login security protection. I assume that BPS Login Security and Jetpack SSO login security cannot be used together since they are both doing the same or similar things. You will need to choose which login security protection you would like to use and turn off Login Security protection in the other plugin.

    #39529
    AITpro Admin
    Keymaster

    Email Question:

    I’ve run into another scenario. I have a site with Jetpack SSO enabled and one of your forum resources pages mention that BPS Pro cannot be used along side Jetpack SSO since they both do the same thing. This post is from 2017 – Is that still valid? I tried (a) disabling the LSM module and (b) adding the client’s IP address to the whitelist (PFW) but the problem persists.

    https://forum.ait-pro.com/forums/topic/jetpack-sso-unable-to-login-locked-out/

    On this site, I, as the admin, can successfully login using Jetpack SSO. However, the client using an author role account, is facing trouble (screenshot attached) and I see a similar security log record.

    [403 GET Request: November 4, 2020 - 9:46 pm]
    BPS Pro: 14.9
    WP: 5.5.3
    Event Code: WPADMIN-SBR
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 2222:2222:222:eee:eeee:e222:2e22:2222
    Host Name: 2222:2222:222:eee:eeee:e222:2e22:2222
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-admin/?redirect_to=https://example.com/wp-admin/&request_redirect_to=https://example.com/wp-admin/&calypso_env=production&jetpack-sso-auth-redirect=1
    QUERY_STRING: redirect_to=https://example.com/wp-admin/&request_redirect_to=https://example.com/wp-admin/&calypso_env=production&jetpack-sso-auth-redirect=1
    HTTP_USER_AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36

    Any suggestions to help a user login with Jetpack SSO – just as the admin can?

    #39530
    AITpro Admin
    Keymaster

    This solution did not work – see the following forum reply below.

    Sent this possible solution > pending verification that it works.

    1. Copy the wp-admin Query String skip/bypass rule for the Jetpack SSO plugin into this BPS wp-admin Custom Code text box: 3. CUSTOM CODE WPADMIN PLUGIN/FILE SKIP RULES.
    2. Click the Save wp-admin Custom Code button. Note: If you see a 403 error or are unable to save this custom code due to ModSecurity being installed on your server, click the Encrypt Custom Code button first and then click the Save wp-admin Custom Code button.
    3. Go to the BPS Pro > Setup Wizard page > run the Pre-Installation Wizard and the Setup Wizard. Note: For BPS free just run the Setup Wizard.

    # Jetpack SSO wp-admin Query String skip/bypass rule
    # RewriteCond %{QUERY_STRING} (.*)jetpack-sso-auth-redirect(.*) [NC]
    # RewriteRule . - [S=2]
    #39536
    AITpro Admin
    Keymaster

    UPDATE:  This working solution for Jetpack SSO has been added to the Setup Wizard AutoFix feature in BPS Pro 15 and BPS 4.4.

    The solution above did not work, but this solution below did work.

    1. Copy the modified wp-admin Query String Exploits code into this BPS wp-admin Custom Code text box: 4. CUSTOM CODE BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    2. Click the Save wp-admin Custom Code button. Note: If you are unable to save the modified custom htaccess code due to ModSecurity blocking saving the custom htaccess code then click the Encrypt wp-admin Custom Code button first and then click the Save wp-admin Custom Code button.
    3. Go to the BPS Setup Wizard page and run the Pre-Installation Wizard and Setup Wizard. For BPS free run the Setup Wizard.

    # BEGIN BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    # WORDPRESS WILL BREAK IF ALL THE BPSQSE FILTERS ARE DELETED
    # Use BPS wp-admin Custom Code to modify/edit/change this code and to save it permanently.
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    #RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    #RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F]
    # END BPSQSE-check BPS QUERY STRING EXPLOITS AND FILTERS
    #43843
    Sanjeev
    Participant

    Jetpack SSO and BPS Login Security likely conflict since they offer similar login security features. Choose one and disable the other for optimal website security. https://ssoidportal.org/

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.