Support » Plugin: WP fail2ban » 403 with admin-ajax.php?_fs_blog_admin=true

  • Resolved mbologna

    (@mbologna)


    With this plugin I am encountering random 403 when accessing admin pages:

    # rg _fs_blog_admin=true | grep -cw 403
    9

    # rg _fs_blog_admin=true | grep -w 403

    access-wordpress.log:93.56.x.x – – [11/Aug/2019:11:43:22 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:29:28 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:34:29 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:39:30 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:44:31 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:49:32 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:54:34 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:59:35 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:10:15:43 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”

    In the same timeframe, the corresponding IPs are logged in and do not encounter any problems when using the administrative area of WordPress:

    403 is the second hit, after that there is a 200:

    1575:93.56.x.x – – [11/Aug/2019:11:42:25 +0000] “GET /wp-admin/admin-ajax.php?action=blc_dashboard_status&random=0.7248542563550722&_fs_blog_admin=true HTTP/2.0” 200 201 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    1577:93.56.x.x – – [11/Aug/2019:11:43:22 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    1580:93.56.x.x – – [11/Aug/2019:11:44:26 +0000] “GET /wp-admin/admin-ajax.php?action=blc_dashboard_status&random=0.4630210098776505&_fs_blog_admin=true HTTP/2.0” 200 201 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    1587:93.56.x.x – – [11/Aug/2019:11:46:27 +0000] “GET /wp-admin/admin-ajax.php?action=blc_dashboard_status&random=0.6353487338287&_fs_blog_admin=true HTTP/2.0” 200 201 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    1591:93.56.x.x – – [11/Aug/2019:11:47:38 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 200 87 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”

    403 interleaved with 200:

    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:28:12 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 200 107 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:29:28 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 403 22 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”
    access-wordpress.log.1:93.35.x.x – – [10/Aug/2019:09:30:11 +0000] “POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0” 200 67 “-” “Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0”

    Clearly, _fs_blog_admin is something that comes from this plugin:

    wp-content/plugins/wp-fail2ban/vendor/freemius/wordpress-sdk/config.php
    wp-content/plugins/wp-fail2ban/vendor/freemius/wordpress-sdk/includes/class-freemius.php

    Is there something I am missing? Why do I encounter these random 403?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author invisnet

    (@invisnet)

    What happens if you disable Broken Link Checker?

    What’s the reasoning behind the interference between Broken Link Checker and WP-FailBan?

    Plugin Author invisnet

    (@invisnet)

    From your logs I can see that BLC also does something with the heartbeat request; since I can’t reproduce it here I thought it’d be worth seeing if there’s a conflict on your install.

    Disabling BLC solved the problem. Is it fair to say that the problem is in the BLC plugin or in the interaction between BLC and wp-fail2ban?

    Plugin Author invisnet

    (@invisnet)

    It’s impossible to say without knowing the POST data that’s being sent for the 403 requests; if you can get that from e.g. the browser Network log then the action will tell you which request is failing, and from there, hopefully, it’d be possible to work out exactly why.

    I have collected the HAR from the network tab.
    How can I help now?

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.