Security Log – HTTP Error Log – Read Me First

Home Forums BulletProof Security Pro Security Log – HTTP Error Log – Read Me First

This topic contains 14 replies, has 5 voices, and was last updated by  DirkCYF 1 year, 4 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #1229

    AITpro Admin
    Keymaster
    #20531

    Paul
    Participant

    does BPS pro collect more in the security log than basic version. Since upgrading i just see more login attempts than i did on basic version.

    #20532

    AITpro Admin
    Keymaster

    Yes.  The BPS Pro Security Log logs a lot more things.  Several different BPS Pro features that are not in the BPS free version log things in the Security Log to keep these logged events centralized/all in one place.

    #29699

    Matt Zahy
    Participant

    Hi,

    i am getting big amount of  events : “BFHS – Blocked/Forbidden Hacker or Spammer”  from exact IP and Host adress. Is there a simple way to block IP and/or host address with BPS?

    thanks

    Matt

    #29701

    AITpro Admin
    Keymaster

    Since BPS is already blocking this then maybe you want to ignore/not log this particular user agent?  See the Ignoring|Not Logging User Agents|Bots – Allowing|Logging User Agents|Bots Read Me help text above or click the Security Log Read Me help button.  Or you can just let the BPS Security Log automation do what it is designed to do.

    Security Log General Information
    Your Security Log file is a plain text static file and not a dynamic file or dynamic display to keep your website resource usage at a bare minimum and keep your website performance at a maximum. Log entries are logged in descending order by Date and Time. You can copy, edit and delete this plain text file. You can setup S-Monitor Email Alerting & Log File Options to automatically email your Security Log file to you and delete it when it reaches a certain size (256KB, 500KB or 1MB).

    #30871

    bpuser101
    Participant

    Although BPS is blocking, do the hackers/spammers still take up hosting resources? There are some bad bots with the same IP making hundreds of requests (405 mainly) by the hour. Hosting resources seem to get limited as a result. Is it wise to deny access to these IPs through custom code in the .htaccess?

    #30877

    AITpro Admin
    Keymaster

    @ bpuser101 – All is good.  BPS logs errors in the same exact way that you server logs errors, which is to write to a plain text file, using fwrite , which is designed for and optimized for successive file writing.  In plain english that means that no matter what the frequency or quantity/volume of logged events that are occurring that resource impact is pretty much 0. If BPS was using your WP DB to log events then the resource usage would have a major impact/performance hit for you site and server.  😉

    #31376

    Living Miracles
    Participant

    Hi,

    I noticed today that one of the sites: http://acim-online-video.net I use BPS Pro on has a very large Security Log (currently almost 11MB). For some reason the log wasn’t emailed/deleted when it reached the 1MB size. Any idea what could cause this? I did test the PHP mail() and WordPress wp_mail() function in S-Monitor and it works fine.

    The Security Log page loads very slowly also, and even after it’s finally done loading it just becomes unresponsive.

    I’m noticing some pretty strange looking entries as well (particularly the Whitelist Rules from today and yesterday), that I haven’t seen on any of our other sites. I’ve uploaded the file to my Dropbox here: https://www.dropbox.com/s/p78cs2fxsq6bajy/Security%20Log.txt?dl=0; I’d appreciate it if you could have a look and help me troubleshoot this issue.

    Thank you!

    #31381

    AITpro Admin
    Keymaster

    @ Living Miracles – Your Security Log entries show that this website is hosted on Go Daddy Managed WordPress hosting (a special custom type of hosting that is not standard Go Daddy hosting).  So that most likely means this is another problem caused by Go Daddy Managed WordPress hosting.  The Plugin Firewall whitelist rules created by AutoPilot are not valid.  So what I need for you to do are these steps below and then monitor your Security Log file for a day or so to see if Go Daddy Managed WordPress hosting is still continuing to cause these problems.  I assume the Security Log file not being zipped and emailed is due to the custom cron job that GDMW hosting creates instead of allowing standard WordPress cron jobs to be run.  BPS uses a standard WordPress cron job to zip and email log files.  I am not exactly sure what or why the Plugin Firewall whitelist rules are not valid.  Could be caused by something else, but I assume GDMW hosting is also causing that problem since AutoPilot Mode uses a standard WordPress cron as well.

    Do these steps first:
    1. Go to the Security Log page.
    2. Turn Off Security Logging.
    3. Click the Delete Log button to delete your Security Log file contents.
    4. Do the Plugin Firewall steps below.  When you complete step #4 below and before doing step #5 below – go back to the Security Log page and Turn On Security Logging.  Then continue with Plugin Firewall step #5 below.

    Fix all general Plugin Firewall issues/problems:
    1. Go to the Plugin Firewall page.
    2. Click the Plugin Firewall BulletProof Mode Deactivate button.
    3. Delete (or cut if you want to add your existing whitelist rules back into the Plugins Script|File Whitelist Text Area) all of your Plugin Firewall whitelist rules out of the Plugins Script|File Whitelist Text Area.
    4. Click the Save Whitelist Options button.
    5. Click the Plugin Firewall Test Mode button.
    6. Check your site pages by clicking on all main website pages: contact form page, home page, login page, etc.
    7. Recheck the Plugins Script|File Whitelist Text Area (after 1 minute) and you should see new Plugin Firewall whitelist rules have been created.
    8. Change the AutoPilot Mode Cron Check Frequency to 15 minutes or whatever frequency time you would like to use.
    9. Click the Plugin Firewall Activate button.

    #31382

    Living Miracles
    Participant

    Thanks. I’ll try those steps.

    #31383

    AITpro Admin
    Keymaster

    @ Living Miracles – After analyzing your Security Log I see reasons for why those Plugin Firewall whitelist rules were “logged”. They are not valid whitelist rules so they are only being logged and not actually created in the Plugin Firewall whitelist text area box.  You have a few hackers probing your site and the 403 errors are being interpreted as “possible” Plugin Firewall whitelist rules because they match the pattern of a whitelist rule, but like I said they are not valid so they will not actually be created and will just be logged.  The other problem is this:  This plugin:  vimeography is using the WordPress standard naming convention of “plugins” in the path to its plugin scripts.  Obviously that is a big no no.  There are certain reserved namespaces that should never be used, such as “plugins” for a path in the the WordPress /plugins/ folder.  That is recipe for disaster and is terrible coding practice in general. To compensate for this mistake you can manually create this Plugin Firewall whitelist rule: /vimeography/lib/shared/assets/js/(.*).js in the Plugin Firewall whitelist text area box.

    /wp-content/plugins/vimeography/lib/shared/assets/js/plugins/jquery.flexslider.js?ver=4.6
    /wp-content/plugins/vimeography/lib/shared/assets/js/plugins/jquery.fitvids.js?ver=4.6
    #31384

    Living Miracles
    Participant

    Interesting. Thank you for elaborating and looking into this even more and providing a whitelist rule for Vimeography!

    #31956

    Paul
    Participant

    Is it possible to get the security log and other log email notifications sent to another email address rather than the websites default email

    #31957

    AITpro Admin
    Keymaster

    @ Paul – The email option settings are on the S-Monitor page.  You can send all emails to multiple email accounts that you add in the S-Monitor email option settings, but you cannot send individual emails to different email accounts.  Example:  You can send the Security Log email to multiple email accounts, but you cannot send Security Log emails to 1 email account and send all other emails to a different email account.

    The email address fields To, From, Cc and Bcc can be email addresses for your hosting account, your WordPress Administrator email address or 3rd party email addresses like gmail or yahoo email. If you are sending emails to multiple email recipients then separate the email addresses with a comma. Example: someone@somewhere.com, someoneelse@somewhereelse.com. You can add a space or not add a space after the comma between email addresses.

    #31958

    Paul
    Participant

    @AIT thank you

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.