Security Log – Security Log 403 Errors

[AITpro Admin]

Email Question:

Hello there.

I use BulletProof Security free version and was wondering if you offer paid support? I am getting a lot of 403 errors in my Security Log and don’t really understand what they are and would really love some help.

Thanks!

Ramsay

[AITpro Admin]

BulletProof Security free version support is free.  This link below contains general troubleshooting information about the BulletProof Security Pro Security Log, but also contains general help information that applies to the BulletProof Security free Security Log and errors/log entries.

http://forum.ait-pro.com/forums/topic/security-log-http-error-log-read-me-first/

If you want to post some of your Security Log entries here then ONLY post 1 of each type of error.  Please do not post the same/duplicated 403 error. 

We get on average 1,500 logged 403 log entries per day.  Some of those are hacking attempts, some are hacker recons, some are spammers, some are spambots, etc etc etc.  We do not spend a whole lot of time looking at the log entries and only skim through it daily looking for any new hacking methods.  The general idea is that you should use the Security Log / HTTP Error log for troubleshooting any plugin or other coding issues/problems and then just ignore all the blocked/Forbidden hacking attempts, spambots, etc etc etc.  Thanks.

[Jeff]

I have the opposite problem.  Prior to a recent update, my log file had maybe 20 entries a day. After the update I haven’t had an entry since 1/31/13. I can’t imagine that’s accurate. I am sure that I have done something wrong, but I don’t know what.  I have read the various resources, but I am just not knowledgable enough to follow/understand what I should be doing to test my installation of BPS on my WordPress site.  Is there a really clear step-by-step process that I can follow?  Thanks so much!

[AITpro Admin]

Do you have BPS free or BPS Pro?

[Casey Schreiner]

I’m having a similar issue with BPS Free … from what I’m seeing, it seems to be completely 403 errors, most of them look like they’re on old posts from crawlers, Facebook, or Amazon URLS (no idea why Amazon would be on there).
So what you’re saying is that most of these 403’s are nothing to worry about?  My log file seems to be getting up to around 500k every three or four days now.
 
sample error:

>>>>>>>>>>> 403 Error Logged - February 1, 2013 - 10:48 am <<<<<<<<<<<
REMOTE_ADDR: 184.169.203.101
Host Name: ec2-184-169-203-101.us-west-1.compute.amazonaws.com
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 10.197.26.50, 10.164.21.113
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /2013/02/01/hiking-temescal-canyon-to-skull-rock/
QUERY_STRING: 
HTTP_USER_AGENT: UnwindFetchor/1.0 (+http://www.gnip.com/)

[AITpro Admin]

There are many different types of events that can be logged.  The events that you should be primarily concerned with are any HTTP errors that would indicate that something legitimate like a plugin script is being blocked by BPS on your website.  

This is the approach I take.  Let’s say I installed a new plugin on my website and I want to make sure BPS is not blocking anything about this new plugin.  I would check the Security Log / HTTP Error log for a few days to ensure there are not any issues or problems occurring with that plugin.  

For all the other 10,000,000 hacking attempts/spambot sniffing/etc etc etc log entries that are logged during that period I completely ignore them unless a hacker is doing some new form of hacking attempt.  Most hacking attempts are the same old method over and over and over again, but from different hacker sites or victim sites.  

I have created a script that allows me to search and delete everything in the Security Log that is old / done before / seen it a million times before and what the script leaves me with is any new hacking methods.  This allows me to delete 9,999,999 repeated old/known hacking attempts / methods and I am left with just any new form of hacking attempt method.  If I did not use this automated script then I would be wasting hours every day looking at that crap.

Your particular log entry appears to be the UnwindFetchor Bot making a HEAD Request on your site – HEAD Requests are Blocked/Forbidden by default by BPS unless you want to allow this.

BUT

what you have to keep in mind is that IP addresses, host names and User Agents can all be faked.  So maybe it really was not the UnwindFetchor Bot or maybe it was.  😉

And it seems that a lot of folks think that they need to do something about blocked hacking attempts or blocked Bot sniffing.  If they are blocked then the problem is already solved.  The log file should be used to check for any problems.  Other than that you can completely ignore all the blocked hacking attempts, etc.  BPS is doing its job and the log file will continue to log that.

[Jeff]

I have the free version.  I’m sorry did I post in the wrong place?
 

[AITpro Admin]

Nope you posted in the correct Forum, but from the details of your question I was not sure if you had the Pro version or the Free version and the answer would be different depending on which version you have.  Since your question is actually a new / different question I have created a new Topic here:

http://forum.ait-pro.com/forums/topic/security-log-no-log-entries-security-log-is-not-logging-errors/

Please reply to the questions in the new Forum Topic link above.  Thanks.

[Snowmoon]

[Topic has been merged into this relevant Topic]

Hi

I’m a newbie to this forum and hope it’s okay to ask for help regarding the security log file?

My client’s site has grown tremendously in the past month or so and a few of his posts have gone viral. In the past two weeks, his site has slowed right down and a page can take 20 – 30 seconds to load. Also within the past two weeks or so, my client has been receiving BPS security log emails regularly every day, when previously he only very occasionaly receives one.

I’ve checked that BPS is set to email the log to him when it reaches 500K. I take it to mean that in the past two week there have been many more attempts to hack into his site, causing the log file to reach 500K much more quickly. Is that correct?

My questions are:
– Would the increased number of hack attempts be the reason his site has suddenly become so slow?
– This may be a stupid question so apologies beforehand: Is everything that’s logged an indication of some kind of hack attempt? If so, why are some of the REQUEST_URI entries images?
– I am posting a segment of the log file below. It shows the same network (216.223.27) with the same timestamp (2:20 am). Are they anything to worry about?

Thank you in advance.

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.60
Host Name: 216.223.27.60
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.18
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/04/Screen-Shot-2014-04-24-at-11.34.09-PM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.26
Host Name: 216.223.27.26
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.18
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/04/poster_A4_garfield-e1398266662934-290x166.jpg
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.57
Host Name: 216.223.27.57
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/themes/the-daily-epic/images/share-on-twitter.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.53
Host Name: 216.223.27.53
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/04/Screen-Shot-2014-04-29-at-10.51.41-AM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.24
Host Name: 216.223.27.24
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/05/Screen-Shot-2014-05-19-at-1.19.11-PM-620x350.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.53
Host Name: 216.223.27.53
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/05/airplane-turned-into-kindergarten.png.650x0_q85_crop-smart-290x166.jpg
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.53
Host Name: 216.223.27.53
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/05/end-awkwardness-hed-2014-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.27
Host Name: 216.223.27.27
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/05/Screen-Shot-2014-05-21-at-11.05.46-AM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.28
Host Name: 216.223.27.28
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/05/Screen-Shot-2014-05-20-at-1.40.45-PM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.30
Host Name: 216.223.27.30
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/plugins/special-recent-posts/cache/MjgwMTYwbm9TY3JlZW4tU2hvdC0yMDE0LTA1LTIxLWF0LTExLjA1LjQ2LUFN.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.61
Host Name: 216.223.27.61
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/04/Screen-shot-2014-04-30-at-12.49.37-PM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.30
Host Name: 216.223.27.30
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/04/Screen-Shot-2014-04-28-at-10.22.42-AM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.53
Host Name: 216.223.27.53
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/plugins/special-recent-posts/cache/MjgwMTYwbm9TY3JlZW4tU2hvdC0yMDE0LTA1LTIxLWF0LTEwLjI0LjE0LUFN.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.52
Host Name: 216.223.27.52
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/05/Screen-Shot-2014-05-06-at-10.59.52-AM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.54
Host Name: 216.223.27.54
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/04/Screen-Shot-2014-04-18-at-9.56.33-AM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.59
Host Name: 216.223.27.59
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/02/the-daily-epic-widget-logo.jpg
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.24
Host Name: 216.223.27.24
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/05/Screen-Shot-2014-05-06-at-11.02.09-PM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.29
Host Name: 216.223.27.29
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/uploads/2014/05/Screen-Shot-2014-05-11-at-10.22.37-AM-290x166.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.60
Host Name: 216.223.27.60
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/plugins/special-recent-posts/cache/MjgwMTYwbm9kZWxhLWhlZC0yMDE0.jpg
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.30
Host Name: 216.223.27.30
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/plugins/special-recent-posts/cache/MjgwMTYwbm9TY3JlZW4tU2hvdC0yMDE0LTA1LTIwLWF0LTEuNDAuNDUtUE0=.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[403 GET / HEAD Request: May 23, 2014 - 2:20 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 216.223.27.58
Host Name: 216.223.27.58
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP: 
HTTP_FORWARDED: 
HTTP_X_FORWARDED_FOR: 216.223.27.21
HTTP_X_CLUSTER_CLIENT_IP: 
REQUEST_METHOD: GET
HTTP_REFERER: 
REQUEST_URI: /wp-content/themes/the-daily-epic/images/share-on-facebook.png
QUERY_STRING: 
HTTP_USER_AGENT: ICAP-IOD

[AITpro Admin]

Security Logging will not slow down a website.  Hacking attempts could slow down a website depending on what type of hacking attempt was being done, but typically hacking attempts do not slow down a website because the hacking attempt would be blocked and a log entry would be created.  Increased visitor traffic will slow down a website depending on how much visitor traffic the site is getting, the site type and what type of hosting account the site has.  ie Shared Hosting means you are sharing Server resources.

99.99% of what is logged in the Security Log is going to be things that should be blocked.  You can ignore these things.  BPS is doing its job and nothing else is required on your part.  Everything in the Security Log that you posted can be ignored.  Image files frequently show up in the security log file.  It could be that someone is trying to scrape or mine the images on this site or it could be that something some script is doing is being blocked, but image retrieval is working fine.  The general rule of thumb is you check to see if your images are displaying correctly.  If they are then nothing else is required on your part and whatever action that was blocked does not affect image retrieval.

See this Forum Topic for more details on Security Log entries:  http://forum.ait-pro.com/forums/topic/security-log-event-codes/

What matters and what does not matter in regards to Security Log entries
http://forum.ait-pro.com/forums/topic/security-log-confusion/

[Snowmoon]

Thank you so much for you prompt and detailed response. Much appreciated.

[Author]

Posts