Hi
Can you check your HTTP access log and paste here the browser/user-agent signatures that were blocked?
Rule 306 deals with bogus (fake, old) UA signatures.
I can’t seem to find it in any of the server logs. Not being logged?
You can also check NinjaFirewall’s log, it will display a similar line:
09/Dec/15 13:27:20 #5680277 medium 306 xxx.xx.11.95 GET /index.php – Bogus user-agent signature – [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)]
Right. Doh! Just a sec my log on one site is being hammered right now…
This is not the related item – it is the one I am being nailed with at the moment. Glad they are being blocked.
10/Dec/15 11:57:46 #0000000 info – 166.62.91.110 POST /wp-admin/admin-ajax.php – Sanitising user input – [REQUEST: [“Better WP Security”,”Secure WordPress”,”Wordpress Firewall”,”Bad Behavior”,””]]
10/Dec/15 11:57:46 #0000000 info – 166.62.91.110 POST /wp-admin/admin-ajax.php – Sanitising user input – [REQUEST: [“”]]
Not the right one… this is.
10/Dec/15 05:55:27 #4729499 medium 306 104.238.101.138 POST /wp-admin/admin-ajax.php – Bogus user-agent signature – [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)]
10/Dec/15 05:55:31 #3610215 medium 306 104.238.101.138 POST /index.php – Bogus user-agent signature – [SERVER:HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)]
Here it is: Line 98. There are a total of 6 occurrences in that file.
It pretends to be an Internet Explorer 5.0 (which was released in March 1999) running on Windows 2000 (NT 5.0).
Obviously, it is detected as a bogus UA, and blocked by NinjaFirewall rule ID 306.
The problem is that many WAFs are likely going to block it too.
I suggest to contact the author and to ask him whether he would like to change the signature.
Since the plugin is MainWP and service is mainwp.com, a signature like this one would be better IMHO:
Mozilla/5.0 (compatible; MainWP/2.0.30; +http://mainwp.com)
Yes I am going to pass that on to them. I have NF running everywhere and had to manually go to each and disable rule 306.. No fun at all.
Thanks for everything!
Barry & Nintechnet we just released a Beta that has the suggested changes added if you want to test that version.
I am getting ready to add sites to the Beta now. I would say wish me luck, but I really don’t think I need it π
Thank you for your time and help folks!
The beta is running on ten sites and I have started turning rule 306 back on. No issues so far so it looks this the new MainWP has this fixed.
Barry
Thanks for your help, Mainwp.
