WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] 403 Errors (24 posts)

  1. chrishtf
    Member
    Posted 1 year ago #

    Hey

    I've recently been getting constant message my Security Log is becoming large and when I checked I've been getting regular 403 errors. Here's a bit from the log

    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.5
    Host Name: out-ar5.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2011/12/DJ-Chamber-HTF.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.2
    Host Name: out-ar2.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2011/11/Troumaca.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.0
    Host Name: 66.220.152.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2013/01/Karma-Party-Tour.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.4
    Host Name: out-ar4.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2012/04/20120416-191116.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.2
    Host Name: out-ar2.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/sociable/images/more.png
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.5
    Host Name: out-ar5.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2012/03/achal.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.7
    Host Name: out-ar7.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2011/10/131445_500446317776_33761052776_5647685_3713449_o1.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.6
    Host Name: out-ar6.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2011/12/bison.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.6
    Host Name: out-ar6.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2011/10/love-sick.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.3
    Host Name: out-ar3.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/sociable/images/closelabel.png
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.6
    Host Name: out-ar6.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2012/02/20120220-213452.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.4
    Host Name: out-ar4.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2012/04/20120406-213014.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 66.220.152.5
    Host Name: out-ar5.tfbnw.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/uploads/2012/04/20120416-192154.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)
    
    >>>>>>>>>>> 403 Error Logged - February 2, 2013 - 6:10 pm <<<<<<<<<<<
    REMOTE_ADDR: 72.30.142.221
    Host Name: llf531060.crawl.yahoo.net
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /electronic/interview-kate-mcrae-htf-exclusive
    QUERY_STRING:
    HTTP_USER_AGENT: NING/1.0

    Any ideas why this would be?

    Site is http://www.hitthefloor.co.uk

    Any help would be awesome x

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Looks like some kind of external linking of your images files. See the link below.
    http://www.facebook.com/externalhit_uatext.php

    If you are using HotLink Protection then you are not allowing your images to be HotLinked and that would log a 403 error.

  3. chrishtf
    Member
    Posted 1 year ago #

    I've checked and hotlinking is disabled so couldn't be that

    Any other ideas or is there a way I can just stop it logging it if it's nothing serious?

  4. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I am not exactly sure how the facebook script is trying to GET images, but maybe doing something like this would work. Whitelist the facebookexternalhit Bot.

    Try this first...

    # REQUEST METHODS FILTERED
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteCond %{HTTP_USER_AGENT} !^(facebookexternalhit) [NC]
    RewriteRule ^(.*)$ - [F,L]

    ...and if it does not work then try this - remove/delete HEAD from the nuisance filter...

    # REQUEST METHODS FILTERED
    # This filter is for blocking junk bots and spam bots from making a HEAD request, but may also block some
    # HEAD request from bots that you want to allow in certains cases. This is not a security filter and is just
    # a nuisance filter. This filter will not block any important bots like the google bot. If you want to allow
    # all bots to make a HEAD request then remove HEAD from the Request Method filter.
    # The TRACE, DELETE, TRACK and DEBUG request methods should never be allowed against your website.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK|DEBUG) [NC]
    RewriteRule ^(.*)$ - [F,L]
  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    What you want to not do is create a rule that whitelists the facebook Bot entirely to allow it to skip/bypass all security since IP's, Hostnames and User Agents can all be faked. That would make your website vulnerable to a spoofed User Agent hack.

  6. chrishtf
    Member
    Posted 1 year ago #

    Where would I paste this code exactly? I'm a bit of newbie when it comes to some of this stuff haha :)

    Wud this be in the main .htaccess?

  7. chrishtf
    Member
    Posted 1 year ago #

    Also are these only to do with facebook cus some of the log seems to be from my own server (SYWP) :/

    Theres quite a lot of these

    >>>>>>>>>>> 403 Error Logged - February 4, 2013 - 12:09 am <<<<<<<<<<<
    REMOTE_ADDR: 5.77.49.221
    Host Name: server.sywp.co.uk
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.hitthefloor.co.uk
    REQUEST_URI: /tour-dates/blowgoat-announce-july-tour/attachment/blowgoat-3/
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

    >>>>>>>>>>> 403 Error Logged - February 4, 2013 - 12:09 am <<<<<<<<<<<
    REMOTE_ADDR: 5.77.49.221
    Host Name: server.sywp.co.uk
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: http://www.hitthefloor.co.uk
    REQUEST_URI: /wp-content/uploads/2012/06/Blowgoat-245x163.jpg
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

  8. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    That code already exists in your BPS Root .htaccess file. Use the BPS built-in htaccess file editor and try both changes and see what works.

    Hard to tell exactly what those errors are being caused by. Could be a spammer or a dozen other random abusive things against your site. Your site is the Host and the Referrer. The Request was made on your site or to your site and something about that request was forbidden.

    A malicious hacking attempt will look different.

  9. chrishtf
    Member
    Posted 1 year ago #

    Still seems to be coming up with the errors

    Seems to be a lot more than just Facebook though.

    It's quite confusing and my webhosts don't seem to know either

    Pasted a longer version of the log here - http://pastebin.com/B7aj0y5f

  10. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Sure looks like you have HotLink protection added either in your Root .htaccess file or in your Web Host Control panel. The majority of the 403 errors are related to image files. There are a couple other shady ones.

    Bottomline it looks like you are not allowing image files to be grabbed or displayed from your site - blocking against HotLinking to image files.

  11. The Hack Repair Guy
    Member
    Posted 1 year ago #

    Folks seem oddly concerned about 403 errors.

    I'll try to explain a bit better why you should just "forget about it..." in your best Italian accent.

    403's frequently result from bots attempting to access a directory when directory browsing is forbidden, or when IP denial is enabled.

    If you have smartly installed BPS or some other nice security plugin. That plugin will block attempts at connecting to files in directories which disallow connections; and likewise block repeat bad login offenders.

    This is a natural result of having the security plugin installed (403 errors). cPanel Hotlink Protection = (ditto).

    Bottom line:
    403 errors mean your security plugin or control panel is working.

    Remember a 403 is not a 404.
    Massive numbers of 404 errors, now that is something worthy of discussion. 403 errors (aka, go away bot scum errors), not so much.

  12. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Actually it is not hotlinking at all. I just successfully hotlinked one of your image files from another website.

  13. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    These errors are all occuring on your main site and not your blog site.

  14. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    I see you are using a Minify plugin so anything could be happening. Minify plugins are a nightmare and you could not pay me enough money to install one on my site. Plus they create huge security vulnerabilities - BAD!!!

  15. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    How is your main site linked to your blog site. I see images on the main site and when i click them i am taken to the blog site????? Why are images on your main site loading your blog site????

    I think the problem is something is fubar about the way you are linking your image files.

  16. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Or maybe not. it looks like some go to your main site and others go to your blog site, but all of these errors are coming from the main site. Do you see the same type of errors on your blog site?

  17. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    And this one is good for a laugh. The MSN bot is trying to hack your website. LOL I once had the Google bot try to hack my site for a few days. LOL obviously this is not the real MSN Bot. IP addresses, Host names and User Agents can be very easily faked. And this hacker is faking the MSN bot when looking for a timthumb file to exploit. ;)

    >>>>>>>>>>> 403 Error Logged - February 4, 2013 - 11:28 pm <<<<<<<<<<<
    REMOTE_ADDR: 131.253.24.4
    Host Name: msnbot-131-253-24-4.search.msn.com
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/themes/magazinum/functions/theme/thumb.php?src=http://www.hitthefloor.co.uk/wp-content/uploads/2012/02/F9-520x325.jpg&w=225&h=Yes&zc=1&a=c
    QUERY_STRING:
    HTTP_USER_AGENT: msnbot-media/1.1 (+http://search.msn.com/msnbot.htm)
  18. chrishtf
    Member
    Posted 1 year ago #

    It's all one site. It's a wordpress install on domain http://www.hitthefloor.co.uk

    The actual server itself its hosted on is registered as http://www.sywp.co.uk as there are a few other sites on the same server if that's what u meant :)

    Is there anything I could get my webhosts to look at maybe? They were just confused last time they had a look lol

    Also wud u advise against using Minify then? is it not good for the site?

  19. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Ok so /blog is just a designated blog page then and not a completely separate WordPress site correct?

    I guess you could have your Host check the Server Logs for additional clues, but i doubt it would tell them anything more useful.

    Ok here is the overall deal. Images display fine on your site, everything is working fine on your site and you can HotLink to images. The logged events pertaining to image files may be things like this:

    Someone is attempting to scrape, mirror, copy, download, etc your entire site and images and they are faking that they are the facebook bot. Remember that IP addresses, Host Names and User Agents can all be very easily faked.

    Or maybe you have some kind of facebook plugin installed that is doing something to cause the errors. Or maybe your Themes would have something to do with this? Do the standard WordPress troubleshooting steps.

    1. deactivate plugins one by one and test
    2. switch to the WordPress 2012 theme to test.

    The big picture:

    In your log file that you posted I see that BPS blocked/stopped several common hacking attempts on your website. The image file errors are only a nuisance and are not causing any problems. So try the WordPress troubleshooting steps and see what happens. Another possibility is that they will just stop all of a sudden if it has to do with mirroring, scraping, etc.

    I personally do not use Minify plugins because i have several very critical scripts that need to be 100% intact and not minified. If these critical scripts are minified then they lose coding safeguard checks. So it is up to you. Most likely it would not be an issue for you so it is fine to use a Minify plugin on your site.

    And also the image errors could be caused by your minifying plugin. So when you do the standard WordPress troubleshooting steps then you would be eliminating your Minify plugin as well as the cause of the problem.

  20. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Also this Forum post puts things in perspective regarding what matters and what does not matter in regards to logged events:

    http://forum.ait-pro.com/forums/topic/security-log-security-log-403-errors/#post-1694

  21. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Did you try the standard WordPress troubleshooting steps?

    1. deactivate plugins one by one and test
    2. switch to the WordPress 2012 theme to test.

  22. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Working on this over here now >>> http://wordpress.org/support/topic/linkchecker-and-other-legit-bots-are-broken?replies=8

    Will post my findings/solution there.

  23. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    deleted posted in the wrong thread...

  24. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    resolving this Thread. This issue is being worked on in this thread >>> http://wordpress.org/support/topic/linkchecker-and-other-legit-bots-are-broken?replies=8

    This issue is a nuisance issue and does not have a negative impact or block anything important. It has still not been determined if BPS is the source of the facebook 206 error. pending further investigation / testing.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.