Whitelist for GravityScan IP range

Home Forums BulletProof Security Free Whitelist for GravityScan IP range

Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #34312
    Jeff Rivett
    Participant

    I’m evaluating the GravityScan service on one of my WordPress sites and noticed that it complains about BPS blocking some tests. They suggest whitelisting the GravityScan IP range, but they don’t specify how to do that with BPS.

    Any suggestions?

    https://www.gravityscan.com/

    #34313
    AITpro Admin
    Keymaster

    Check your BPS Security Log for any log entries that show what is being blocked and post the Security Log entry.  You can also do BPS Troubleshooting steps > https://forum.ait-pro.com/forums/topic/read-me-first-free/#bps-free-general-troubleshooting

    #34318
    Jeff Rivett
    Participant

    I’ve been through the troubleshooting steps. Here are the relevant log entries:

    [403 GET Request: October 15, 2017 - 5:09 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /.user.ini
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:11 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /php.ini
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:11 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /php.ini~
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php.bak
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php.swo
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php.save
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php~
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php_bak
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php.swp
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php.old
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php.original
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    [403 GET Request: October 15, 2017 - 5:14 pm]
    BPS: 2.7
    WP: 4.8.2
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 68.64.48.20
    Host Name: scanner-001.gravityscan.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP: 
    HTTP_FORWARDED: 
    HTTP_X_FORWARDED_FOR: 
    HTTP_X_CLUSTER_CLIENT_IP: 
    REQUEST_METHOD: GET
    HTTP_REFERER: 
    REQUEST_URI: /wp-config.php.orig
    QUERY_STRING: 
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
    
    #34320
    AITpro Admin
    Keymaster

    Try these troubleshooting steps.

    1. Go to BPS Custom Code > Root htaccess File Custom Code accordion tab.
    2. Type a # sign in this Custom Code text box: 13. CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
    3. Click the Save Root Custom Code button.
    4. Go to the Security Modes tab page and click the Root Folder BulletProof Mode Activate button.

    Do another scan.  If you see the same Security Log entries then probably Mod Security is also protecting these files:  wp-config.php, php.ini, .user.ini.  To check/confirm that > turn off BPS Security Logging > do another scan.

    #34321
    Jeff Rivett
    Participant

    Tried the four steps you suggested, but it didn’t help. So I disabled security logging, and that fixed the problem.

    #34322
    AITpro Admin
    Keymaster

    Turning Off Security Logging was actually a troubleshooting step, but not a good one since GravityScan appears to scan from an external location and not internally.  Turn Security Logging back On and do these troubleshooting steps.

    1. On the Security Modes page, click the Root Folder BulletProof Mode Deactivate button.
    2. Run a GravityScan.

    Let me know if a 403 error is logged.

    #34327
    Jeff Rivett
    Participant

    I re-enabled BPS Security logging and disabled root htaccess protection as instructed, then ran another Gravityscan against the site.

    No new 403 errors were logged.

    I re-enabled root htaccess protection after the test.

    #34328
    AITpro Admin
    Keymaster

    Ok go to the htaccess Core > htaccess File Editor tab page > Your Current Root htaccess File tab > copy and paste the entire contents of your Root htaccess file and paste it in your forum Reply.

    #34329
    Jeff Rivett
    Participant

    Okay, here’s the root htaccess contents:

    # BULLETPROOF 2.7 SECURE .HTACCESS
    
    # PHP/PHP.INI HANDLER/CACHE CODE
    # Use BPS Custom Code to add php/php.ini Handler and Cache htaccess code and to save it permanently.
    # Most Hosts do not have/use/require php/php.ini Handler htaccess code
    
    # TURN OFF YOUR SERVER SIGNATURE
    # Suppresses the footer line server version number and ServerName of the serving virtual host
    ServerSignature Off
    
    # DO NOT SHOW DIRECTORY LISTING
    # Disallow mod_autoindex from displaying a directory listing
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
    # and paste it into BPS Custom Code and comment out Options -Indexes
    # by adding a # sign in front of it.
    # Example: #Options -Indexes
    Options -Indexes
    
    # DIRECTORY INDEX FORCE INDEX.PHP
    # Use index.php as default directory index file. index.html will be ignored.
    # If a 500 Internal Server Error occurs when activating Root BulletProof Mode
    # copy the entire DO NOT SHOW DIRECTORY LISTING and DIRECTORY INDEX sections of code
    # and paste it into BPS Custom Code and comment out DirectoryIndex
    # by adding a # sign in front of it.
    # Example: #DirectoryIndex index.php index.html /index.php
    DirectoryIndex index.php index.html /index.php
    
    # BRUTE FORCE LOGIN PAGE PROTECTION
    # PLACEHOLDER ONLY
    # Use BPS Custom Code to add Brute Force Login protection code and to save it permanently.
    # See this link: https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
    # for more information.
    
    # BPS ERROR LOGGING AND TRACKING
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # BPS has premade 400 Bad Request, 403 Forbidden, 404 Not Found, 405 Method Not Allowed and
    # 410 Gone template logging files that are used to track and log 400, 403, 404, 405 and 410 errors
    # that occur on your website. When a hacker attempts to hack your website the hackers IP address,
    # Host name, Request Method, Referering link, the file name or requested resource, the user agent
    # of the hacker and the query string used in the hack attempt are logged.
    # All BPS log files are htaccess protected so that only you can view them.
    # The 400.php, 403.php, 404.php, 405.php and 410.php files are located in /wp-content/plugins/bulletproof-security/
    # The 400, 403, 405 and 410 Error logging files are already set up and will automatically start logging errors
    # after you install BPS and have activated BulletProof Mode for your Root folder.
    # If you would like to log 404 errors you will need to copy the logging code in the BPS 404.php file
    # to your Theme's 404.php template file. Simple instructions are included in the BPS 404.php file.
    # You can open the BPS 404.php file using the WP Plugins Editor or manually editing the file.
    # NOTE: By default WordPress automatically looks in your Theme's folder for a 404.php Theme template file.
    
    ErrorDocument 400 /wp-content/plugins/bulletproof-security/400.php
    ErrorDocument 401 default
    ErrorDocument 403 /wp-content/plugins/bulletproof-security/403.php
    ErrorDocument 404 /404.php
    ErrorDocument 405 /wp-content/plugins/bulletproof-security/405.php
    ErrorDocument 410 /wp-content/plugins/bulletproof-security/410.php
    
    # DENY ACCESS TO PROTECTED SERVER FILES AND FOLDERS
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Files and folders starting with a dot: .htaccess, .htpasswd, .errordocs, .logs
    RedirectMatch 403 \.(htaccess|htpasswd|errordocs|logs)$
    
    # WP-ADMIN/INCLUDES
    # Use BPS Custom Code to remove this code permanently.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    RewriteRule ^wp-includes/theme-compat/ - [F]
    
    # WP REWRITE LOOP START
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # CUSTOM CODE REQUEST METHODS FILTERED
    # REQUEST METHODS FILTERED
    # If you want to allow HEAD Requests use BPS Custom Code and copy
    # this entire REQUEST METHODS FILTERED section of code to this BPS Custom Code
    # text box: CUSTOM CODE REQUEST METHODS FILTERED.
    # See the CUSTOM CODE REQUEST METHODS FILTERED help text for additional steps.
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F]
    #RewriteCond %{REQUEST_METHOD} ^(HEAD) [NC]
    #RewriteRule ^(.*)$ /wp-content/plugins/bulletproof-security/405.php [L]
    
    # PLUGINS/THEMES AND VARIOUS EXPLOIT FILTER SKIP RULES
    # To add plugin/theme skip/bypass rules use BPS Custom Code.
    # The [S] flag is used to skip following rules. Skip rule [S=12] will skip 12 following RewriteRules.
    # The skip rules MUST be in descending consecutive number order: 12, 11, 10, 9...
    # If you delete a skip rule, change the other skip rule numbers accordingly.
    # Examples: If RewriteRule [S=5] is deleted than change [S=6] to [S=5], [S=7] to [S=6], etc.
    # If you add a new skip rule above skip rule 12 it will be skip rule 13: [S=13]
    
    # CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
    # Allow css and js (with query strings)
    RewriteCond %{REQUEST_URI} ^.*\.(css|js)$
    RewriteRule . - [S=16]
    
    # Allow access to wp-cron.php, etc.
    RewriteCond %{REQUEST_URI} ^/(wp-cron|checkip)\.php
    RewriteRule . - [S=15]
    
    # Facebook extra query info
    RewriteCond %{QUERY_STRING} fb_action_ids=[0-9]+&fb_action_types=.* [NC]
    RewriteRule . - [S=14]
    
    ## Added 2017Jan14 for testing.
    
    # NextGEN Gallery Cache
    RewriteCond %{REQUEST_URI} ^/wp-content/gallery/cache/
    RewriteRule . - [S=13]
    
    # Adminer MySQL management tool data populate
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC]
    RewriteRule . - [S=12]
    # Comment Spam Pack MU Plugin - CAPTCHA images not displaying
    RewriteCond %{REQUEST_URI} ^/wp-content/mu-plugins/custom-anti-spam/ [NC]
    RewriteRule . - [S=11]
    # Peters Custom Anti-Spam display CAPTCHA Image
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC]
    RewriteRule . - [S=10]
    # Status Updater plugin fb connect
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC]
    RewriteRule . - [S=9]
    # Stream Video Player - Adding FLV Videos Blocked
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
    RewriteRule . - [S=8]
    # XCloner 404 or 403 error when updating settings
    RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
    RewriteRule . - [S=7]
    # BuddyPress Logout Redirect
    RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
    RewriteRule . - [S=6]
    # redirect_to=
    RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
    RewriteRule . - [S=5]
    # Login Plugins Password Reset And Redirect 1
    RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
    RewriteRule . - [S=4]
    # Login Plugins Password Reset And Redirect 2
    RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
    RewriteRule . - [S=3]
    
    # CUSTOM CODE TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # TIMTHUMB FORBID RFI and MISC FILE SKIP/BYPASS RULE
    # Use BPS Custom Code to modify/edit/change this code and to save it permanently.
    # Remote File Inclusion (RFI) security rules
    # Note: Only whitelist your additional domains or files if needed - do not whitelist hacker domains or files
    RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
    RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
    RewriteRule .* index.php [F]
    #
    # Example: Whitelist additional misc files: (example\.php|another-file\.php|phpthumb\.php|thumb\.php|thumbs\.php)
    RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
    # Example: Whitelist additional website domains: RewriteCond %{HTTP_REFERER} ^.*(YourWebsite.com|AnotherWebsite.com).*
    RewriteCond %{HTTP_REFERER} ^.*boot13.com.*
    RewriteRule . - [S=1]
    
     
    
    # CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS
    # CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS - Your Custom htaccess code will be created here with AutoMagic
    # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
    # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
    # Good sites such as W3C use it for their W3C-LinkChecker.
    # Add or remove user agents temporarily or permanently from the first User Agent filter below.
    # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
    RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
    #RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{THE_REQUEST} (\?|\*|%2a)+(%20+|\\s+|%20+\\s+|\\s+%20+|\\s+%20+\\s+)(http|https)(:/|/) [NC,OR]
    RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
    RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
    RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
    RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
    #RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} (%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
    RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(http|https):// [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
    RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} (http|https)\: [NC,OR]
    RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} ^(.*)cPath=(http|https)://(.*)$ [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
    RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
    RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    #RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|%0A|%0D|%3C|%3E|%00) [NC,OR]
    RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
    RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
    RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
    RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
    RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
    RewriteRule ^(.*)$ - [F,L]
    # END BPSQSE BPS QUERY STRING EXPLOITS
    
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # WP REWRITE LOOP END
    
    # CUSTOM CODE DENY BROWSER ACCESS TO THESE FILES
    #
    
    # CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    # Redirect non-secure to secure site
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Redirects for old page structure.
    RedirectMatch 301 ^/software-updates/patches-and-updates$ http://boot13.com/windows/patches-and-updates/
    RedirectMatch 301 ^/software-updates/patches-and-updates/$ http://boot13.com/windows/patches-and-updates/
    RedirectMatch 301 ^/software-updates/scan-for-vulnerable-software$ http://boot13.com/windows/scan-for-vulnerable-software/
    RedirectMatch 301 ^/software-updates/scan-for-vulnerable-software/$ http://boot13.com/windows/scan-for-vulnerable-software/
    
    # Wordfence WAF
    <IfModule mod_php5.c>
    php_value auto_prepend_file '/var/www/boot13/wordfence-waf.php'
    </IfModule>
    <Files ".user.ini">
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    
    # END Wordfence WAF
    
    #34330
    AITpro Admin
    Keymaster

    I see a couple of issues that need to be corrected.  The Wordfence WAF code needs to be moved to the CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE Custom Code text box. See this forum topic for the steps to add the Wordfence WAF htaccess code > https://forum.ait-pro.com/forums/topic/wordfence-firewall-wp-contentwflogsconfig-php-file-quarantined/  Note:  The Wordfence WAF code is blocking the .user.ini file from being accessed via a browser and probably Gravityscan.  Your SSL/HTTPS htaccess code is in the wrong Custom Code text box.  See this forum topic for htaccess SSL/HTTPS code and setup steps > https://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7233

    If the only problem that gravityscan is having is that it cannot scan the php.ini, wp-config.php, .user.ini, etc. files then you can safely ignore that issue.  If on the other hand gravityscan is having more problems with scanning other things then let me know that.

    #34374
    AITpro Admin
    Keymaster

    Ok I just ran a gravity scan scan and I see this error message below, which is insignificant and can be ignored. The reason this error message can be ignored is that BPS is already protecting certain files and is also preventing the gravity scan scanner from scanning some files. Gravity scan is able to scan everything else except for files that BPS is already protecting.

    High Error
    Detected Bulletproof blocking requests Bulletproof
    Title: Detected Bulletproof blocking requests
    Type: Error
    Severity: High (8.0)
    Product: Bulletproof
    Description: Scan results may be incomplete or inaccurate due to security software (Bulletproof) used by this site. For best results, whitelist Gravityscan’s IP range or temporarily disable the software. Instructions for enabling Gravityscan with several popular security providers are available here.

    #34375
    Jeff Rivett
    Participant

    Yes, that’s the exact message I was getting. However, I’m not seeing it since I made the changes you recommended: moving the HTTPS redirect code and the Wordfence WAF code. Root htaccess is still enabled, and so is BPS logging.

    As far as I’m concerned, the problem is resolved.

    I should just point out that ignoring the error would not be an option for me, as it generates a steady stream of email alerts.

    #34376
    AITpro Admin
    Keymaster

    What email alerts are being sent to you?  Are they BPS or wordfence email alerts?  I assume the email alerts are gravity scan/wordfence email alerts.  So you would need to contact wordfence and ask to fix that mistake/bug.  Also see if they will fix the wording for gravity scan error messages related to BPS since the error message are not accurate and are misleading.  An accurate error message would be something like – “The BPS plugin is installed, which already protects X, Y or Z. You can disregard this error message since BPS is already protecting X, Y or Z”.  And of course email alerts should not be sent regarding BPS since BPS is already protecting the website.

    #34379
    Jeff Rivett
    Participant

    Sorry, I guess I wasn’t clear: I’m no longer having the problem I reported. Previously I was getting the exact same message you got.

    Since I want to know when a Gravityscan scan fails, I’ve configured it to send me alert emails. I was getting a lot of those because of the (now resolved) issue I reported. I wanted to avoid disabling the email alerts if possible.

    Anyway, thanks. I’m not sure how moving the Wordfence WAF code fixed it, but it’s fixed.

    #34380
    AITpro Admin
    Keymaster

    Gravity scan scans are not failing. The scan results are just not accurate/valid.  What is odd to me is that since gravity scan is going to the trouble of detecting that BPS is protecting the files then you would think that gravity scan would not report that there is a problem since the files are already protected. Seems to me it would be much more logical for gravity scan to check if a file is protected or not.  If it is protected then there is no need to scan it or inaccurately report a problem. Kind of odd.

Viewing 15 posts - 1 through 15 (of 18 total)
  • You must be logged in to reply to this topic.