Weird Conflict with Host’s Firewall?

  • Resolved Jim

    (@jwmc)


    5 years, 8 months ago

    A couple of times I have been blocked by some kind of firewall set up by A2 Hosting. After it happened a couple of times, they investigated and said it was due to a Wordfence conflict and suggested I contact you.

    The block page has this text:

    The firewall on this server is blocking your connection.
    You need to contact the server owner or hosting provider for further information.
    Your blocked IP address is: 35.209.36.66
    The hostname of this server is: mi3-ss52.a2hosting.com
    You can try to unblock yourself using ReCAPTCHA:

    That IP address is not mine, it is a googlebot. A2 support investigated and said this:

    We reviewed the logs and found that the IP was blocked due to violating one of our Mod_Security rules.

    Sep 24 22:05:59 mi3-ss52 lfd[18070]: (mod_security) mod_security (id:5000900) triggered by 35.209.36.66 (66.36.209.35.bc.googleusercontent.com): 5 in the last 3600 secs – *Blocked in csf* for 3600 secs [LF_MODSEC]

    [Thu Sep 24 22:21:12.120219 2020] [:error] [pid 5536:tid 47422255044352] [client 35.209.36.66:52728] [client 35.209.36.66] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 0 at USER:bf_block. [file “/etc/apache2/conf.d/modsec/modsec_a2/a2_xmlrpc_possible_attack.conf”] [line “13”] [id “5001”] [msg “35.209.36.66 blocked for 30 minutes, more than 10 login attempts in 5 minutes.”] [hostname “forestpathology.org”] [uri “/wp-login.php”] [unique_id “X21UGFs4dgRCYV5LRaljEgAAA8Y”]

    IPs will be blocked if they call wp-login.php too many times and use the incorrect password. I did notice that this IP address appears to be a Google IP. Are you using some kind of VPN to reach the site?

    No, I wasn’t. When it happened again, I noted what page it happened on (https://forestpathology.org/wp-admin/upload.php). This time they replied:

    Upon careful investigation involving checking every possible angle and server logs, I was able to find the root cause of this. This was caused by WordFence plugin. I have disabled it by renaming its folder from WordFence to WordFence1 and now they are no more blocks.

    Not sure why it was happening. You may need to contact them for more information.

    I imagine something like this is kind of hopeless since you don’t know what their software is doing and can’t control it even if you did. But I thought I’d throw it out there.

    FWIW, it didn’t happen until I started the Cloudflare stuff.

    • This topic was modified 5 years, 8 months ago by Jim.

    The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)
  • Thread Starter Jim

    (@jwmc)

    5 years, 8 months ago

    I also saw that Google IP address in a header of a Wordfence email. Very strange:

    X-Php-Filename: ⁨/. . . /public_html/wp-admin/admin-ajax.php REMOTE_ADDR: 35.209.36.66⁩

    Plugin Support WFAdam

    (@wfadam)

    5 years, 8 months ago

    Hello again @jwmc and thanks for reaching out!

    Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    Thanks!

    Thread Starter Jim

    (@jwmc)

    5 years, 8 months ago

    Thanks @wfadam. But before you invest any more time in this, let me tell you that I was just locked out again, and I had not renamed the plugin back to the correct name. So maybe they are incorrect in blaming Wordfence. I have let them know this so we’ll see what they say.

    Plugin Support WFAdam

    (@wfadam)

    5 years, 8 months ago

    Without looking at any of the diagnostics, it sounds like your IP detection method might be incorrect. What could be happening is that every IP that visits your site might be read as the same IP. Once you send a diagnostic over, I should be able to tell if this is the issue.

    Let me know if you’re able to!

    Thanks again!

    Thread Starter Jim

    (@jwmc)

    5 years, 8 months ago

    OK, just sent it. Thanks!

    Plugin Support WFAdam

    (@wfadam)

    5 years, 8 months ago

    Thanks for sending that @jwmc

    I believe that might be the issue I mentioned before with the IP detection. Are you using a CDN such as Cloudflare as well?

    To double-check your IP detection is correct, first, check the following site and take note of your IP – (note that this detection can sometimes not be 100% accurate on cellular phone network connections): https://www.whatsmyip.org.

    Then, head over to your site and go to Wordfence > All Options > General Wordfence Options > How does Wordfence get IPs and reference the area under that section that says Detected IPs and Your IP with this setting. Start from the top and check to see if any of the settings show that both of those show the same IP as the site above does.

    If you’re using Cloudflare, you will most likely need to select “Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.”.

    Let me know what you find!

    Thanks!

    Thread Starter Jim

    (@jwmc)

    5 years, 8 months ago

    Yes, I am using Cloudflare.

    My IP as shown on such internet sites shows correctly in that Wordfence section. Every one of those 5 settings shows the same correct IP, I even tried saving each setting to make sure.

    I was using the CF-Connecting-IP setting. But I noticed in that diagnostic report:
    REMOTE_ADDR <shows my correct IP> In use
    CF-Connecting-IP (not set) Configured but not valid

    So not sure what’s going on there.

    Plugin Support WFAdam

    (@wfadam)

    5 years, 8 months ago

    Next, try to whitelist your site’s IP address in Cloudflare. What it looks like might be happening is, in order for some features to work correctly, your site needs to be able to connect back to itself, sometimes Cloudflare doesn’t handle this request correctly, but if you whitelist your sites IP, that should resolve it.

    Let me know what you find!

    Thanks!

    Thread Starter Jim

    (@jwmc)

    5 years, 8 months ago

    OK, I did on Cloudflare both a Firewall Rule and an IP Rule to allow my servers IP (no idea what the difference is between them).

    That already had a good effect because a DNS change I had to make in cPanel wasn’t populating in Cloudflare. After whitelisting it showed up immediately.

    However, the Diagnostics on IP Detection Method still show that CF-Connecting-IP is Configured but not valid. Guess we’ll see what happens.

    Thanks for all your awesome help!

    Thread Starter Jim

    (@jwmc)

    5 years, 8 months ago

    I give up! After everything we did, and the the hosting support ‘whitelisted’ that security rule that was supposedly causing the blocking, I still got blocked, and when that happens my email doesn’t work either. I finally ditched Cloudflare entirely, and reset the domain to point to my hosting nameservers. The website may be slightly slower (or not), but at least it works smoothly. So far.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Weird Conflict with Host’s Firewall?’ is closed to new replies.