After I set the lockout
404 Error 3 2015-11-08 02:09:56 162.210.198.23 /wp-cron.php Details
Host or User Lockout 10 2015-11-08 02:09:56 162.210.198.23 Details
404 Error 3 2015-11-08 02:09:12 162.210.198.23 /wp-cron.php Details
Host or User Lockout 10 2015-11-08 02:09:12 162.210.198.23 Details
404 Error 3 2015-11-08 02:06:34 162.210.198.23 /wp-cron.php Details
Host or User Lockout 10 2015-11-08 02:06:34 162.210.198.23 Details
404 Error 3 2015-11-08 02:03:34 162.210.198.23 /wp-cron.php Details
Host or User Lockout 10 2015-11-08 02:03:34 162.210.198.23 Details
the details is this
Query_string = Doing_wp_cron=1446923880.3463931083679199218750
Query_string = Doing_wp_cron=1446924168.3734591007232666015625
I don’t know what is the objective, but i got a bad feeling about this and i cant sleep well :”(
@indrung
Verify the following lines are in your WP root folder .htaccess file:
# Ban Hosts – Security > Settings > Banned Users
SetEnvIF REMOTE_ADDR “^162\.210\.198\.23$” DenyAccess
SetEnvIF X-FORWARDED-FOR “^162\.210\.198\.23$” DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP “^162\.210\.198\.23$” DenyAccess
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env DenyAccess
Require not ip 162.210.198.23
</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
Deny from env=DenyAccess
Deny from 162.210.198.23
</IfModule>
These lines are normally written to the .htaccess file by the iTSec plugin when banning a host.
dwinden
Right after the HackRepair.com’s blacklist feature
Those lines exactly the same is there,but there is more lines after that
# Ban User Agents – Security > Settings > Banned Users
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^162\.210\.198\.23 [NC]
RewriteRule ^.* – [F]
</IfModule>
and the hits continues, its 1 minutes..i’ve set the lockout for 60 minutes
is something wrong here ?
404 Error 3 2015-11-08 10:36:30 162.210.198.23 /wp-cron.php Details
Host or User Lockout 10 2015-11-08 10:36:30 162.210.198.23 Details
404 Error 3 2015-11-08 10:35:16 162.210.198.23 /wp-cron.php Details
Host or User Lockout 10 2015-11-08 10:35:16 162.210.198.23 Details
404 Error 3 2015-11-08 10:35:16 162.210.198.23 /wp-cron.php Details
Host or User Lockout 10 2015-11-08 10:35:16 162.210.198.23 Details
i’ve put his ip on my cpanel’s ip address deny manager
it seems working tho
@indrung
Ok, I’ve reviewed all the info you provided so far.
Let me start by saying a brute force attack is normally done by accessing the wp-login.php or xmlrpc.php files.
These 2 scripts allow attackers to perform many login attempts.
wp-cron.php is not a brute force script. It is used by WP to execute scheduled tasks according to a preset interval.
If the scheduled task(s) start time has not expired, running wp-cron.php will not execute any task.
However wp-cron.php does always load\initialize the WP framework.
Since you are getting 404 log entries it seems there are resources missing in your WP website. You should fix those 404 errors.
Because you have probably enabled the iTSec plugin 404 Detection setting the 404s are triggering host lockouts. After (default) 3 host lockouts the IP address is banned in the .htaccess file.
All this still does not explain why the IP address is not banned by the webserver … It should work since the .htaccess file contains the expected host IP banning entries …
You could contact your hosting provider and ask them.
It may be relevant to find out the webserver version that is being used.
Oh one last thing about these lines in the .htaccess file:
# Ban User Agents – Security > Settings > Banned Users
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^162\.210\.198\.23 [NC]
RewriteRule ^.* – [F]
</IfModule>
There is no point in banning the IP address as a USER_AGENT.
So please delete the IP address from the Ban User Agents box.
dwinden
Since you are getting 404 log entries it seems there are resources missing in your WP website. You should fix those 404 errors.
I just realized that it might be the wp-cron.php request itself that returns a 404 …
This can happen when you rename, move or delete the wp-cron.php script…
dwinden
thank you for the reply
I dont have any scheduled tasks,
Is it because my public_html .httacces permission is 444 that the ban host not working ?
wp-cron.php is still there in public_html i dont rename, remove or delete
nb:
I got jetpack installed earlier, but i removed it cause it says error connecting to xml-rpc, says something bout xmlrpc not being available publicly, i cant find solution so i decided to remove jetpack
So i installed ithemes security and mini orange 2 step auth login to secure my wp instead,
And this when i realized that i got a lot of bot attack from my log on my xmlrpc.php, wp-cron.php, it went 404 because i’ve secured it using ithemes
And i think this attack that caused my xmplrpc error in the 1st place, it changed something and made error in jetpack
My question are,
Is it ok to let these 404 on xmlrpc and wpcron? i mean it went 404 bcause the bot didnt found what they’re looking for..i can feel heavy site load on my server when this happen.
@indrung
I dont have any scheduled tasks,
I’m afraid this is not true.
By default all WP env have built-in WP Cron tasks. Below a list of these tasks:
wp_maybe_auto_update twicedaily
wp_version_check twicedaily
wp_update_plugins twicedaily
wp_update_themes twicedaily
wp_scheduled_delete daily
The iTSec plugin even adds 2 extra tasks:
itsec_purge_logs daily
itsec_purge_lockouts daily
Is it because my public_html .httacces permission is 444 that the ban host not working ?
No, I don’t think that the 444 permissions has anything to do with it.
Did you contact your hosting provider and ask ?
What webserver version are you using ?
wp-cron.php is still there in public_html i dont rename, remove or delete
I accessed your wp-cron.php 30 time by using (apologies for the temp load):
http://www.gardenaquaponic.com/wp-cron.php
Indeed I’m able to access wp-cron.php but my IP is not locked out…
Please check the iTSec Logs for any new 404 entries for IP starting with
82.95.?.?
dwinden
its Apache Version 2.4.16
there are two
404 Error 3 2015-11-08 23:16:08 82.95.?.? /readme.html Details
404 Error 3 2015-11-08 23:15:41 82.95.?.? /.htaccess Details
So what could be wrong?
@indrung
I don’t know yet what is wrong. I’m just trying to help you find out.
It seems requests to wp-cron.php is not returning a 404 for me but it did for the 162.210.198.23 IP address in the past … not sure why.
Perhaps you can explain that. You mentioned this earlier:
… it went 404 because i’ve secured it using ithemes
What exactly did you do ? (I’m trying to understand what is happening so please bear with me).
By the way I also tried the 2 entries you did find 404s for in the Logs.
I hope you don’t mind.
Still I’ve got no answers to your questions …
I’ll do a quick test with banning and Apache 2.4.x just to make sure it still works. And I’ll let you know the result.
dwinden
Ok, I’ve done a quick test and banning definately works with Apache 2.4.x
So you must have an Apache webserver configuration issue.
For the banning to work properly using Apache 2.4.x and .htaccess make sure the following modules are loaded:
mod_setenvif
mod_authz_core
For some reason your .htaccess file is not functioning properly.
When I try and access the url below:
http://www.gardenaquaponic.com/readme.html
I get a WP 404 page.
Assuming you have enabled the iTSec plugin Protect System Files setting in the System Tweaks section of the Settings page it should display something like this (403):
Forbidden
You don’t have permission to access /readme.html on this server.
Apache/2.4.16 OpenSSL/1.0.1h Server at http://www.gardenaquaponic.com Port 80
So I think it is best to contact your hosting provider support and ask for their help to solve your webserver issue.
dwinden
its my folder & file permission setting,
I think its ok now,
thank you very much Mr.Dwinden, its resolved
