Incapsula – Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted

Home Forums BulletProof Security Pro Incapsula – Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted

Tagged: 

This topic contains 34 replies, has 2 voices, and was last updated by  Living Miracles 10 months ago.

Viewing 15 posts - 1 through 15 (of 35 total)
  • Author
    Posts
  • #33476

    Living Miracles
    Participant

    Hi,

    On my multisite (i-am-one.net), I just updated BPS Pro to version 13. Since then, I’ve gotten a massive amount of Security Log entries. Here is one (all the others are very similar to this one):

    [405 HEAD Request: June 28, 2017 - 10:10 am]
    BPS Pro: 13
    WP: 4.8
    Event Code: PFWR-PSBR-HPRA-HEAD
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 198.143.33.41
    Host Name: 198.143.33.41.ip.incapdns.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 69.162.124.236
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: HEAD
    HTTP_REFERER: http://suzanne.i-am-one.net
    REQUEST_URI: /wp-content/plugins/bulletproof-security/405.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

    I also went to the PFW settings and noticed an error:
    Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted
    The bulletproof-security plugin js scripts should NOT be whitelisted.Click on the Plugin Firewall Whitelist Tools accordion tab and correct/fix any invalid plugin whitelist rules in the Plugins Script|File Whitelist Text Area.
    Delete the bulletproof-security js script(s) and click the Save Whitelist Options button and activate the Plugin Firewall again.
    Valid plugin Whitelist rules MUST use ONLY this Format: /plugin-folder-name/plugin-script.js, /plugin-folder-name/(.*).js. Plugin paths/scripts are separated by a comma and a single space.

    Here are the Whitelist Rules currently in that box:

    /akismet/_inc/akismet.js, /akismet/_inc/form.js, /async-javascript/js/admin.js, /autoptimize/classes/external/js/jquery.cookie.min.js, /autoptimize/classes/external/js/unslider-min.js, /autoptimize/classes/static/toolbar.js, /captcha/bws_menu/js/bws_tooltip.js, /captcha/bws_menu/js/c_o_o_k_i_e.js, /captcha/bws_menu/js/general_script.js, /captcha/bws_menu/js/shortcode-button.js, /captcha/js/front_end_script.js, /contact-form-7/includes/js/scripts.js, /facebook-button-plugin/bws_menu/js/general_script.js, /facebook-button-plugin/bws_menu/js/shortcode-button.js, /facebook-button-plugin/js/script.js, /google-calendar-events/assets/js/admin-add-calendar.min.js, /google-calendar-events/assets/js/admin.min.js, /google-calendar-events/assets/js/default-calendar.min.js, /google-calendar-events/assets/js/vendor/imagesloaded.pkgd.min.js, /google-calendar-events/assets/js/vendor/jquery.qtip.min.js, /google-calendar-events/assets/js/vendor/jquery.tipTip.minified.js, /google-calendar-events/assets/js/vendor/moment-timezone-with-data.min.js, /google-calendar-events/assets/js/vendor/moment.min.js, /google-calendar-events/assets/js/vendor/select2.min.js, /google-one/bws_menu/js/general_script.js, /google-one/bws_menu/js/shortcode-button.js, /google-one/js/script.js, /monarch/js/admin.js, /monarch/js/custom.js, /monarch/js/idle-timer.min.js, /monarch/js/monarch-mce-button.js, /monarch/js/monarch-post-meta.js, /tinymce-advanced/mce/advlist/plugin.min.js, /tinymce-advanced/mce/anchor/plugin.min.js, /tinymce-advanced/mce/code/plugin.min.js, /tinymce-advanced/mce/contextmenu/plugin.min.js, /tinymce-advanced/mce/emoticons/plugin.min.js, /tinymce-advanced/mce/insertdatetime/plugin.min.js, /tinymce-advanced/mce/link/plugin.min.js, /tinymce-advanced/mce/nonbreaking/plugin.min.js, /tinymce-advanced/mce/print/plugin.min.js, /tinymce-advanced/mce/searchreplace/plugin.min.js, /tinymce-advanced/mce/table/plugin.min.js, /tinymce-advanced/mce/visualblocks/plugin.min.js, /tinymce-advanced/mce/visualchars/plugin.min.js, /tinymce-advanced/mce/wptadv/plugin.min.js, /wordpress-seo/js/(.*).js, /wordpress-seo/js/dist/select2/i18n/en.js, /wordpress-seo/js/dist/select2/select2.min.js, /wp-security-audit-log/js/common.js, /wp-smushit//assets/shared-ui/wdev-ui.js, /wp-smushit/assets/js/wp-smushit-admin.js, /wp-smushit/assets/shared-ui/wdev-ui.js, /wp-security-audit-log/js/auditlog.js, /async-javascript/js/admin.min.js, /wp-security-audit-log/js/settings.js, /bulletproof-security/405.php

    The only BPS Pro-related Whitelist Rule I see is the last one for the /405.php. I tried removing this, and that stopped the Security Log entries from being generated for about 2 minutes, but then the /405.php Whitelist Rule got automatically added back into the PFW.

    Can you tell me how I should proceed here? Thank you!

    #33478

    AITpro Admin
    Keymaster

    Most likely Incapsula is breaking the Plugin Firewall.  Do these steps in this link:  https://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/page/3/#post-30933

    #33498

    Living Miracles
    Participant

    Thanks! This will also take care of the error I’m seeing in the Plugin Firewall area then, yes? It will fix the Security Log entries and the PFW error?

    #33499

    AITpro Admin
    Keymaster

    You would need to let me know if that does work or not.

    #33500

    Living Miracles
    Participant

    Thanks. I just went through all those steps but it didn’t fix either of the issues. The error in PFW still appears: http://i.imgur.com/YixWhcu.png

    And the Security Log entries still appear as well. Maybe I didn’t enter the “proxy server IP address: xxx.xxx.xxx.xxx in the Whitelist by Hostname (domain name) and IP Address text box” correctly? Here’s what I entered:

    198.143.33.41.ip.incapdns.net, 198.143.33.41, 198.143.33.33, 198.143.33.33.ip.incapdns.net, 198.143.32.145.ip.incapdns.net, 198.143.32.145, 198.143.32.153.ip.incapdns.net, 198.143.32.153

    Those are the IPs/Hostnames I found in the Security Log entries.

    #33501

    AITpro Admin
    Keymaster

    Ok well I guess you cannot use Plugin Firewall AutoPilot Mode with Incapsula.  So just manually edit your Plugin Firewall whitelist rules, remove the invalid whitelist rule for the /bulletproof-security/ plugin, save your changes and activate the Plugin Firewall again. Then turn Off AutoPilot Mode.

    #33504

    Living Miracles
    Participant

    Hm, odd. We’ve been using Incapsula for a good while now (I’m assuming these Incapsula IPs are coming from SiteLock, althrough I also see Uptime Robot in the Security Log) and we haven’t had an issue until the most recent BPS Pro update. Thoughts?

    #33506

    AITpro Admin
    Keymaster

    Nothing has changed in BPS that could be causing these problems.  These problems appear to be caused by other things that are breaking BPS. Things change constantly.  For example lately we have been seeing a huge increase in Mod Security problems breaking BPS Custom Code forms and other things.  I assume what has happened is that someone globally released and distributed a new ruleset of Mod Security SecRules/SecFilters, which is breaking things in BPS as well as many other things in other plugins.  Just what it is.  😉  So you would want to check into things like what has changed in Incapsula, what has changed in SiteLock, also check into Mod Security if you have Mod Security installed on your host server since it is wreaking havoc across the board lately.

    #33507

    Living Miracles
    Participant

    Ah, thanks for that information. We did indeed install ModSecurity on our server fairly recently. What about it could be causing these issues, and is there something we can do about this if we want ModSecurity installed? Or would we need to compromise and turn off PFW AutoPilot Mode if we want to use ModSecurity?

    #33508

    AITpro Admin
    Keymaster

    This forum topic: https://forum.ait-pro.com/forums/topic/bps-speed-boost-cache-custom-code-notice/page/2/#post-33462 has 2 different people on 2 different web host’s worldwide with the same exact Mod Security problem.  We have also been contacted directly by at least 10 other people with the same exact Mod Security problems on 10 different web host’s worldwide.  ie global problem. 😉  If you are lucky your web host allows you to change individual Mod Security rules.  If not then most web hosts only offer either Enable or Disable for Mod Security.  I’m not 100% sure if the new Mod Security problems affect the BPS Pro Plugin Firewall.  Or of course the extra “combo” problem could be occurring.  Ie A breaks C, which then creates a snowball effect and breaks C, D, E, ………………….

    Mod Security in general is very nice thing, but the problem that we see every once in a while is individual Mod Security SecRules and SecFilters are created that are totally fubar.  For example:  Mod Security should have an exclusion rule for the WordPress /wp-admin/ backend area (based on the Request origin) because the WP Dashboard is password protected and does not need to checked by Mod Security.  Only the frontend of the site should have Mod Security security rules applied to it (based on the Request origin).  Request origin means where the Request came from.  If the Request came from the wp-admin area then don’t muck around with it since only an authenticated user could have made that Request.

    #33511

    AITpro Admin
    Keymaster

    I just found this forum topic regarding Incapsula:  https://forum.ait-pro.com/forums/topic/incapsula-cdn-401-error-authorization-required/#post-26856. So it looks like you would need to add the entire range of Incapsula IP addresses. I just updated that Incapsula forum topic. It now has all the most current Incapsula IP addresses.

    #33517

    Living Miracles
    Participant

    Thanks for updating those Incapsula IPs! It seems like the error I was seeing in PFW is now gone and it also looks like the /bulletproof-security/405.php isn’t getting added anymore to the Whitelist Rules. I am still seeing, however, these types of errors in the PHP error log:

    [405 HEAD Request: June 29, 2017 - 11:58 am]
    BPS Pro: 13
    WP: 4.8
    Event Code: PFWR-PSBR-HPRA-HEAD
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 198.143.33.41
    Host Name: 198.143.33.41.ip.incapdns.net
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 69.162.124.236
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: HEAD
    HTTP_REFERER: http://michael.i-am-one.net
    REQUEST_URI: /wp-content/plugins/bulletproof-security/405.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

    Can you tell me more about what’s happening there with the 405.php file? What is that file for? Sorry, if I’m a bit slow with understanding how to troubleshoot this. I appreciate anything you can explain about this further 🙂

    #33518

    AITpro Admin
    Keymaster

    My guess would be that you are using some fubar Incapsula settings.  It has been a few years since we looked at what Incapula is doing so things might have changed since then.  Incapsula used to have these option settings (3 years ago):  Static+Dynamic Caching or Aggressive Caching.  Aggressive caching did the worst possible thing imagineable – wp-admin backend caching – yeah that is a nightmare/train wreck scenario.  The wp-admin backend Dashboard should never be cached for any reason.  I’m not exactly sure what the Incapsula Static+Dynamic Caching option setting did/does, but apparently it is also a fubar setting, unless you specifically create rules to exclude the wp-admin backend area from being thrashed by Incapsula.

    Additional Information: Using the Incapsula Static + Dynamic Caching or Aggressive Caching content caching options without creating an Advanced Caching rule to NOT cache the WordPress /wp-admin backend area URL will break the BPS Pro Plugin Firewall and most likely lots of other things in all of your other plugins. The WordPress wp-admin backend Dashboard area should NEVER be cached for any reason.

    The BPS 405.php Security Logging template file logs HEAD Requests that are blocked on your site. I’m not sure why you are seeing a direct Request to the 405.php logging file, but whatever is causing the Security Log entry is directly going to the 405.php logging template instead of processing the HEAD Request normally. My assumption is that Incapsula or something else is breaking the normal functionality of the 405 logging template. You can try allowing all HEAD Requests on your site, but that is putting a band-aid on whatever the root cause of the problem is.

    #33519

    Living Miracles
    Participant

    Thanks so much for all that information. Like I said, I’m assuming that when I’m seeing “Incapsula” in the Security Log, I’ll just assume that that’s actually SiteLock since we don’t have an account with Incapsula. So, I’ve disabled SiteLock for this site for now and will see if that makes a difference in terms of the entries I’m seeing in the Security Log.

    On another note, I actually just noticed that the “Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted” did come back now in the PFW. You were saying that this could be related to ModSecurity, or did I misunderstand that?

    #33520

    AITpro Admin
    Keymaster

    I believe the “Error: Your Whitelist rules have a /bulletproof-security/admin/js/ script whitelisted” error is caused by Incapsula.  Most likely you have fubar Incapsula settings that is wrecking your WordPress backend.  You would need to look into what Incapsula is doing these days.  If another plugin is breaking things then you would need to get in touch with those plugin or service support folks to get a solution for the problem they are causing for other plugins, etc.  It is always possible that you have fubar Mod Security SecRules or SecFilters. You would need to do some Mod Security troubleshooting or contact your web host support folks for help with Mod Security troubleshooting.  We are trying to eliminate or minimize troubleshooting problems caused by other plugins these days since that kind of stuff drags everyone down – BPS Pro developers, coders and users,  😉

    If BPS or BPS Pro is causing a problem for another plugin then we create a solution for that issue/problem.  So the same rules should apply for all other plugins or services, etc. 😉

Viewing 15 posts - 1 through 15 (of 35 total)

You must be logged in to reply to this topic.