Access list does not recognize some IPs

AbLeads
(@ableads)

5 years, 9 months ago

Thanks you for this great plugin!

One rather painful issue though, I don’t know if someone can help us? Since we installed WP cerber a few months ago, about 1/3 of the IP addresses added to the blacklist are not blocked.

– When clicking “add IP to blacklist”, we can see the confirmation notice “added to blacklist” but no black square is added to corresponding logs in activity and traffic inspector tabs

– When corresponding IP owner comes back to our site, they are not blocked, and therefore able to submit spam or fraudulent forms

– It seems that all those troublesome IPs share only one common behavior: associated IP-range logs in traffic inspector and activity tabs are always empty. Logs are filled correctly for individual IPs

– We unsuccessfully tried to delete and re-add IPs, use IP ranges, CIDR, subnets, repair tables, delete all cerber_acl rows and re-enter IPs manually.

– We only have a few IPs in our white access list, but at least one of them is showing similar symptoms

Info:
PHP version: 7.2.5
[SERVER_SOFTWARE] => Apache

Repair tables:
Array
(
[0] => Array
(
[0] => Duplicate column name ‘ip_long’
[1] => ALTER TABLE cerber_log ADD ip_long BIGINT UNSIGNED NOT NULL DEFAULT “0” COMMENT “IPv4 long” AFTER ip, ADD INDEX (ip_long)
)

[1] => Array
(
[0] => Duplicate column name ‘ip_long_begin’
[1] => ALTER TABLE cerber_acl ADD ip_long_begin BIGINT UNSIGNED NOT NULL DEFAULT ‘0’ COMMENT ‘IPv4 range begin’ AFTER ip, ADD ip_long_end BIGINT UNSIGNED NOT NULL DEFAULT ‘0’ COMMENT ‘IPv4 range end’ AFTER ip_long_begin
)

[2] => Array
(
[0] => Duplicate key name ‘ip_begin_end’
[1] => ALTER TABLE cerber_acl ADD UNIQUE ip_begin_end (ip, ip_long_begin, ip_long_end)
)

[3] => Array
(
[0] => Can’t DROP ‘ip’; check that column/key exists
[1] => ALTER TABLE cerber_acl DROP INDEX ip
)

[4] => Array
(
[0] => Can’t DROP ‘begin_end’; check that column/key exists
[1] => ALTER TABLE cerber_acl DROP INDEX begin_end
)

[5] => Array
(
[0] => Duplicate key name ‘begin_end_tag’
[1] => ALTER TABLE cerber_acl ADD INDEX begin_end_tag (ip_long_begin, ip_long_end, tag)
)

[6] => Array
(
[0] => Duplicate column name ‘session_id’
[1] => ALTER TABLE cerber_log
ADD session_id CHAR(32) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT “”,
ADD country CHAR(3) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT “” COMMENT “Country code”,
ADD details VARCHAR(250) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL DEFAULT “” COMMENT “Details about HTTP request”;

)

[7] => Array
(
[0] => Duplicate key name ‘session_index’
[1] => ALTER TABLE cerber_log ADD INDEX session_index (session_id)
)

)

The page I need help with: [log in to see the link]

Viewing 11 replies - 1 through 11 (of 11 total)

Plugin Author gioni
(@gioni)

5 years, 9 months ago

Hi!

If you click “Check for activity” or “Check for requests” on the access list admin page and don’t see log records, that means there were no requests from blacklisted IP adresses at all.

Can you do a simple test: select an arbitrary IP on the Activity tab, add it to the blacklist as a wildcard with the asterisk character * and then click “Check for activity” button. What do you get?

Thread Starter AbLeads
(@ableads)

5 years, 9 months ago

Hey Gioni,

Thanks for your kind reply. Sorry for not being clearer, when I click on those IP addresses I do see recent activity, requests, or both. However, when I click “Check for activity” or “Check for requests” next to “Network” (below IP), then both tabs will indicate “No activity has been logged.” AND “No requests have been logged.” Then I know for sure that blacklisting them will do nothing.

A fresh example just a few minutes ago: 188.40.151.103 from Germany:
3 logs in activity: Request to REST API denied
3 logs in traffic inspector: Get REST API / HTTP 403 Forbidden
Click Add IP to the Black List
“Address 188.40.151.103 was added to Black IP Access List”
No black square gets added by the IP address in traffic inspector or activity tabs
Black IP Access List –> 188.40.151.103
Check for activity: 3 logs are there, no black square
Check for requests: 3 logs again, no black square

Wild card test:
Add 188.40.151.* to blacklist
“Address 188.40.151.* was added to Black IP Access List”
Check for activity: “No activity has been logged.”
Check for requests: “No requests have been logged.”

Just as a reminder, this issue only happens with about 30% of IPs in access lists

Plugin Author gioni
(@gioni)

5 years, 9 months ago

Note: The White IP Access list has the highest priority and will be checked for an IP address first. Is you White IP Access list empty?

See also: https://wpcerber.com/using-ip-access-lists-to-protect-wordpress/

Thread Starter AbLeads
(@ableads)

5 years, 9 months ago

Thank you, we are aware of that. We do have 5 IPs in the white access list, none of which should interfere with any of the 115 IPs in the black list.

Are we the only ones facing that issue?

If there is no fix you can think of, we’ll give a go at another security plugin at some point for comparison and let you know if that solves the problem

Thread Starter AbLeads
(@ableads)

5 years, 6 months ago

Hi,

Following an increased number of attack attempts from IPs that aren’t recognized by wp-cerber’s access list, we did a little more digging into why some IPs are blocked fine and why some aren’t. Amongst hundreds of IPs tested, it turns out that none will work if the first part of the IP is above 126. As said previously, subnet and wildcard searches for those IPS won’t work either.

It seems that class A IPs only are blocked as expected ?

gingerbooch
(@gingerbooch)

5 years, 6 months ago

Hi @gioni, @ableads,

I was about to open a thread about this but I found something totally similar here.
I have the same issue, that’s not new but I didn’t have the time to write earlier.

What I found in my access blacklist is that all IP are not stored from 1.X.X.X to 255.X.X.X .
First in my list, appear all IPs from 128.X.X.X to 222.X.X.X .
Then, the second part appear in the list, from 5.X.X.X to 125.X.X.X .

The differences I found :

– IPS from 5.X.X.X to 125.X.X.X : Are seen as banned. When they come back, there is a black square in front of each already blacklisted IP in the activity view.
A look inside the DB’s ACL show those IPs with a “10 digits” value for “ip long begin”, same for “ip long end”.

– IPS from 128.X.X.X to 222.X.X.X : Are not seen as banned. When they come back, there is no black square in front of each already blacklisted IP in the activity view.
A look inside the DB’s ACL show those IPs with a “0” value for “ip long begin”, same for “ip long end”.

I hope this can help.

Plugin Author gioni
(@gioni)

5 years, 6 months ago

@gingerbooch, @ableads

Hi folks! I need additional details. Please go to the Tools / Diagnostic admin page, scroll down to the “Database info” section and find “Table: cerber_acl, rows”. Show me the content of this subsection, just make a screenshot of it.

gingerbooch
(@gingerbooch)

5 years, 6 months ago

Hi @gioni,

Here is mine.

Thread Starter AbLeads
(@ableads)

5 years, 6 months ago

And here is ours

gingerbooch
(@gingerbooch)

5 years, 6 months ago

Hi @gioni,

Did you find something out about our issue ?

Plugin Author gioni
(@gioni)

5 years, 6 months ago

Hi!

So, the table structure has no issues. Please do the following:

1. Add a new problematic IP address (like you’ve described) to any list.
2. Check the values in the ip_long_begin and ip_long_end fields in the cerber_acl database table (you need to have access to the DB via phpMyAdmin). It should be a number, not zero.
3. If the fields have a number other than zero, do this: https://wpcerber.com/repair-database-tables/
4. Check the fields again.
5. Tell me the results of the steps 2 and 4.

@gingerbooch

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘Access list does not recognize some IPs’ is closed to new replies.

Tags