SiteGround Dedicated host server – Security Log Entries

Home Forums BulletProof Security Pro SiteGround Dedicated host server – Security Log Entries

This topic contains 8 replies, has 2 voices, and was last updated by  Living Miracles 3 weeks, 6 days ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #38071

    Living Miracles
    Participant

    Hi,

    We recently migrated from a Cloud server with SiteGround to one of their dedicated servers. Since then, we’ve started seeing some interesting Security Log entries. Specifically, what is interesting is that a lot of the entries seem to “originate” from our own server (see REMOTE_ADDR and Host Name)—but also seem to be coming either from hackers or UptimeRobot at the same time (see HTTP_X_FORWARDED_FOR and HTTP_USER_AGENT).

    Here are some examples of the entries we’ve started seeing (please note, we’ve obscured our server IP and URL, as well as our domains):

    1. From Our Server
    This request seems to be coming directly from our server (REMOTE_ADDR and Host Name are both associated with our server) and is possibly cron-related (HTTP_REFERER, REQUEST_URI, QUERY_STRING). Any idea what might be happening here and if we should take any action/whitelist/etc.?

    [403 GET Request: September 21, 2019 - 3:48 pm]
    BPS Pro: 14.1
    WP: 5.2.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: our.server.tld
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://our-site.tld/wp-cron.php?doing_wp_cron=1569102482.9112329483032226562500
    REQUEST_URI: /wp-cron.php?doing_wp_cron=1569102482.9112329483032226562500
    QUERY_STRING: doing_wp_cron=1569102482.9112329483032226562500
    HTTP_USER_AGENT: WordPress/5.2.3; https://our-site.tld

    2. From UptimeRobot
    This request seems to be coming directly from our server (REMOTE_ADDR and Host Name are both associated with our server) as well, but the HTTP_USER_AGENT seems to show that this is somehow UptimeRobot-related; the HTTP_X_FORWARDED_FOR IP is definitely an UptimeRobot IP. Any idea what might be happening here (we do have our sites monitored through UptimeRobot) and if we should take any action/whitelist/etc.?

    [405 HEAD Request: October 17, 2019 - 4:22 pm]
    BPS Pro: 14.2
    WP: 5.2.3
    Event Code: BFHS-HEAD - HEAD Request Blocked
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: our.server.tld
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 69.162.124.229
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: HEAD
    HTTP_REFERER: https://our-site.tld
    REQUEST_URI: /
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)

    3. From our Server but Probably Hacker
    This request seems to be coming directly from our server (REMOTE_ADDR and Host Name are both associated with our server), but the HTTP_X_FORWARDED_FOR IP is from Vietnam so I’m assuming this is a hacker. Any idea what might be happening here and if we should take any action?

    [403 GET Request: October 17, 2019 - 11:00 am]
    BPS Pro: 14.2
    WP: 5.2.3
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: our.server.tld
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 2001:ee0:4f38:2cde:c4d:8f14:4e27:6ae9
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-json/oembed/1.0/embed?url=https://our-site.tld/browse/whats-new/
    QUERY_STRING: url=https://our-site.tld/browse/whats-new/
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36

    4. Amazon AWS but Probably Hacker
    This request (and there are hundreds of these on our sites in the Security Logs, all from different REMOTE_ADDR IPs, all from some version of the amazonaws.com domain) seems to be coming from the Amazon AWS service—my feeling is this is hackers trying to gain access in some way, which you can see even by the REQUEST_URI (it’s like they’re just digging around for something to access). Any idea how we could blacklist all requests from “.amazonaws.com”?

    [405 HEAD Request: October 12, 2019 - 12:09 am]
    BPS Pro: 14.2
    WP: 5.2.3
    Event Code: BFHS-HEAD - HEAD Request Blocked
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 54.176.188.51
    Host Name: ec2-54-176-188-51.us-west-1.compute.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: HEAD
    HTTP_REFERER:
    REQUEST_URI: /biz2webbackup.tar.gz
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
    #38072

    AITpro Admin
    Keymaster

    Your Proxy server is using Server Protocol HTTP/1.0, which is a very old Server Protocol – created in 1995.  The most commonly used Server Protocol is HTTP/1.1.  A newer Server Protocol is HTTP/2.  The most current Server Protocol version is HTTP/3.  Your Proxy server should be updated to use at least Server Protocol HTTP/1.1.

    https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#History

    What is very strange is that some Security Log entries do not have anything for:  HTTP_X_FORWARDED_FOR.  Typically when you have a Proxy server you will always see an IP address in the HTTP_X_FORWARDED_FOR field.  I have absolutely no idea why that is not happening on your server.

    #1. Are you using any custom htaccess code that blocks crons? Have you disabled WordPress standard crons? Have you setup a Direct Cron?

    #2. Fix for the Uptime Robot HEAD Request issue > https://forum.ait-pro.com/forums/topic/split-uptimerobot-whitelist-uptimerobot-bot/#post-3578

    #3. Are you using any additional custom code or custom php code in your theme’s functions.php file that blocks JSON?

    #4. Yep, typical hackerbot recon looking for random things is being blocked.

    #38079

    Living Miracles
    Participant

    Hi there,

    Thank you for the responses!

    #1. Are you using any custom htaccess code that blocks crons? Have you disabled WordPress standard crons? Have you setup a Direct Cron?

    No, we don’t have any such code that blocks crons and also haven’t disabled the standard WP crons. We have one direct cron set up, but not on this site that reported the error. Any other thoughts?

    #2. Fix for the Uptime Robot HEAD Request issue > https://forum.ait-pro.com/forums/topic/split-uptimerobot-whitelist-uptimerobot-bot/#post-3578

    Thank you! Will try that out!

    #3. Are you using any additional custom code or custom php code in your theme’s functions.php file that blocks JSON?

    No, we don’t have any such code to block JSON. Any other thoughts? I guess it’s good the request is getting blocked since the request came from Vietnam and is likely a hacker?

    #4. Yep, typical hackerbot recon looking for random things is being blocked.

    Good to know. Can we add some code in the .htaccess to block all requests from “.amazonaws.com”?

    #38080

    AITpro Admin
    Keymaster

    #1. Nope, no other ideas.  I have no idea why crons are being blocked.  You are going to have to work with your web host to figure that out.

    #3. You are correct that the Request is not “normal”.  The URL is simulating or is actually an RFI hacking attempt. Either way there is nothing you need to do about that since that should be blocked.

    #4. I don’t recommend blocking the amazonaws host/bot.  You can just ignore that issue.

    #38081

    Living Miracles
    Participant

    Hi,

    Thank you for the feedback!

    Regarding #2. I have the following in my .htaccess code since yesterday (via Custom Code):

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    # Allows UptimeRobot HEAD requests
    RewriteCond %{HTTP_USER_AGENT} !^(UptimeRobot) [NC]
    RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]

    However, UptimeRobot continues to show up in the Security Log. Like so, for example:

    [405 HEAD Request: October 22, 2019 - 3:19 pm]
    BPS Pro: 14.2
    WP: 5.2.4
    Event Code: BFHS-HEAD - HEAD Request Blocked
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 96.127.128.116
    Host Name: server.tld
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 63.143.42.252
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: HEAD
    HTTP_REFERER: https://example.tld
    REQUEST_URI: /
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)

    Is my .htaccess code incorrect somehow?

    #38082

    AITpro Admin
    Keymaster

    Try whitlisting by IP Address instead of by User Agent.

    https://uptimerobot.com/locations

    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    # Allows UptimeRobot HEAD requests
    RewriteCond %{REMOTE_ADDR} !^(216.144.250.150|69.162.124.226|69.162.124.227|69.162.124.228|69.162.124.229|69.162.124.230|69.162.124.231|69.162.124.232|69.162.124.233|69.162.124.234|69.162.124.235|69.162.124.236|69.162.124.237|63.143.42.242|63.143.42.243|63.143.42.244|63.143.42.245|63.143.42.246|63.143.42.247|63.143.42.248|63.143.42.249|63.143.42.250|63.143.42.251|63.143.42.252|63.143.42.253|216.245.221.82|216.245.221.83|216.245.221.84|216.245.221.85|216.245.221.86|216.245.221.87|216.245.221.88|216.245.221.89|216.245.221.90|216.245.221.91|216.245.221.92|216.245.221.93|46.137.190.132|122.248.234.23|188.226.183.141|178.62.52.237|54.79.28.129|54.94.142.218|104.131.107.63|54.67.10.127|54.64.67.106|159.203.30.41|46.101.250.135|18.221.56.27|52.60.129.180|159.89.8.111|146.185.143.14|139.59.173.249|165.227.83.148|128.199.195.156|138.197.150.151|34.233.66.117) [NC]
    RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
    #38083

    Living Miracles
    Participant

    Ok, thank you! I’ve tried that now, but realized that the UptimeRobot IPs appear as the HTTP_X_FORWARDED_FOR:

    HTTP_X_FORWARDED_FOR: 63.143.42.252

    So, I added the following:

    RewriteCond %{HTTP_X_FORWARDED_FOR} !^(18.221.56.27|34.233.66.117|46.101.250.135|46.137.190.132|52.60.129.180|54.64.67.106|54.67.10.127|54.79.28.129|54.94.142.218|63.143.42.242|63.143.42.243|63.143.42.244|63.143.42.245|63.143.42.246|63.143.42.247|63.143.42.248|63.143.42.249|63.143.42.250|63.143.42.251|63.143.42.252|63.143.42.253|69.162.124.226|69.162.124.227|69.162.124.228|69.162.124.229|69.162.124.230|69.162.124.231|69.162.124.232|69.162.124.233|69.162.124.234|69.162.124.235|69.162.124.236|69.162.124.237|104.131.107.63|122.248.234.23|128.199.195.156|138.197.150.151|139.59.173.249|146.185.143.14|159.203.30.41|159.89.8.111|165.227.83.148|178.62.52.237|188.226.183.141|216.144.250.150|216.245.221.82|216.245.221.83|216.245.221.84|216.245.221.85|216.245.221.86|216.245.221.87|216.245.221.88|216.245.221.89|216.245.221.90|216.245.221.91|216.245.221.92|216.245.221.93) [NC]

    It still doesn’t appear to be working though. I’m continuing to see entries like this in the Security Log:

    [405 HEAD Request: October 22, 2019 - 5:37 pm]
    BPS Pro: 14.2
    WP: 5.2.4
    Event Code: BFHS-HEAD - HEAD Request Blocked
    Solution: https://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: xxx.xxx.xxx.xxx
    Host Name: server.tld
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 63.143.42.252
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: HEAD
    HTTP_REFERER: https://example.tld
    REQUEST_URI: /
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)
    

    Anything else I can try?

    I’d also like to come back to my original #4 question. You said that you don’t recommend blocking the “amazonaws.com” host names. Can you tell me why that is? And if I wanted to try it anyway, how would I do that?

    Thank you for all the help!

    #38084

    AITpro Admin
    Keymaster

    You would need to use:  Use %{HTTP:X-FORWARDED-FOR} instead of %{HTTP_X_FORWARDED_FOR}

    The Amazon AWS Bot is considered a good bot, but it is a nuisance Bot that is for sure.  You would need to find a list of IP addresses for the Amazon AWS Bot and use a RewriteCond %{REMOTE_ADDR} condition.

    #38085

    Living Miracles
    Participant

    Thank you so much! The %{HTTP:X-FORWARDED-FOR} is now finally making things work! Appreciate the help. And thanks for the suggestion for the amazonaws issue.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.