IP Detection Error; Cookie Based Brute Force Lockout

Hi @pcde,

If CBBFP is disabled via wp-config.php using below constant.

define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);

and it allow to login then it is the CBBFP probem.

do yo try access using the secretword login page as scecret word cookie is for only 24 hrs you have to access agian using that. it is not changed.

{siteurl}?{secretword}=1

Also the Cookie based bruteforce recently nothing more chagned.

The IP detection method you select is of dropdown the three suggestion try shows your current IP address. but you should cross check with https://whatismyipaddress.com/

So hope it is not login whitelist IP issue.

Yes, when I disable CBBFP via wp-config I can login again normally (I also use the AIOS Rename Login Page feature secret word).

What is interesting (or confusing) is, I also have a staging website that is identical to my live website — same server, same code, same plugins, same everything, except the staging site does not use Cloudflare. CBBFP works normally there. No issue at all. Even though the Settings > Advanced > IP Detection shows the same red IP address failure message as the live site. (On the staging site, some plugins are not activated during development, eg Autoptimize, but I have tried turning them on/off to see if they were affecting anything and apparently they are not.)

As for the Settings > Advanced > IP detection, the IP address that is listed in the dropdown menu appears is correct. Generally it is the IPv6 that is active, but sometimes it selects the IPv4. The only unusual thing (other than the red failure message) is that only the REMOTE ADDR and CF_CONNECTING_ options are available. IIRC all the options were available before.

Regarding the Whitelist IP issue, I am not familiar with that. Is there anything I can check to see if that is the issue and correct it? My only experience with the IP Whitelist is about a year or more ago I activated the IP Whitelist feature to try it out and successfully locked myself out of the website. lol Thankfully you guided me in deactivating it, I turned it off, and it has never been an issue since.

One question: I have certain AS#’s blocked by Cloudflare. Is AIOS dependent on any particular AS# or IP’s having access to the origin server? Or does it need to access any certain php files that maybe I have blocked by accident?

I am at a loss. Any suggestions you have are appreciated. Will try anything. This issue only started about a month ago, maybe two.

My thanks again.

Hi @pcde,

I have cross-checked on one of my sites which uses Cloudflare and hosted on godaddy It do not have issue for CBBFP.

Do cookies are allowed for your site in the browser?

And it is not the browser cache issue , try in incognito window with correct secretword {site_url}?{secretword}=1

I will create internal ticket for to check in more details.

Regards

Thank you so much for your help looking in to this. I am going to try some more troubleshooting over the weekend to see if maybe I missed something. One thing I can tell you is the problem is the same no matter what browser I use (Safari, Chrome, Firefox) and no matter what computer I am using. So that much I know. I have cleared all browser caches, the Cloudflare cache, and the website cache with no change. I have not yet spoken with my hosting provider to see if they may be playing a part (which seems unlikely to me).

I’m really hoping I’ve just overlooked something simple. My thanks again!

• This reply was modified 9 months, 3 weeks ago by pcde.

Hi @pcde,

Ok, keep me posted if you find anything,

{site_url}?{secretword}=1 here accessing the site with secretword cookies is set for 24 hours loads the login page instead redirect to 127.0.0.1.

for the next request for login page it allows to load the login page for next 24 hrs as cookies posted back by browser

After 24 hrs have to use {site_url}?{secretword}=1 again.

We will try cross check in more detail from our end also.

Regards

Hi again. Just an update for you — no progress unfortunately. I went so far as to deactivate every single other plugin except AIOS (on my staging website which does not use Cloudflare) and that made no difference. Both the live site and the staging site show the same red IP detection failure error message (in Settings > Advanced). However on my staging website CBBFP continues to work as it should. But on the live site CBBFP works for a while after activation and then stops and has to be deactivated via wp-config. (Reminder: the live site uses Cloudflare).

It’s so odd. Is there anything else I can do to help? I am out of ideas.

My thanks again for your help.

Hi @pcde,

Can you please share your site URL and if possible secret word you use for to access the login page using https://pastebin.com/ with burn after read option to cross check it.

For cloudflare you have added your domain as website and the hosting server IP is set as A records to point the hosting server.

Let me know if you have any other way cloudflare website settings.

Regards

Hi again — Thank you so much for the offer to log in to my website/CF etc. I think before we do that I want to try one more thing myself.

(Sorry , this is a long message…)

Since the CBBFP works perfectly on my staging website, and my staging website is exactly the same as my live website (same server too) except it does not use CF, then logically it would seem that the problem must have something to do with my CF setup. But that said… even when I disable CF on the live website the problem remains.

Also, the separate issue (that may or may not be related) of Settings > Advanced, the ipify service is returning a red: failure: error() for CF, IPv4, and IPv6. This is happening on both my staging website and my live website. On occasion ipify returns the IP’s correctly, but most often not. this never used to happen. The IP does appear correctly in the dropdown list below the ipify data. This issue has nothing to do with CF and when I go to any other IP service (such as What Is My IP Address which you link to above) every service returns my IP’s correctly.

I noticed that ipify uses as specific IP and AS#. I have made sure those are not blocked, but can you tell me if there are any other IP’s or AS#’s or services that AIOS is dependent on for its operation? I want to make sure nothing necessary is blocked.

As it stands, on the live website (that uses CF) CBBFP works perfectly for a period of time after being activated but then sometime shortly after that starts redirecting to 127.0.0.1. So my best guess is somehow on the live website the CBBFP cookie is being deleted, or not being saved, or not being found, or is expiring prematurely. I recall that there was a “cookie write test” when I first activated the CBBFP feature. I have not had to re-do that test in a long time. Is there a way to re-activate that test to see if it is still passed successfully?

Anyways, I am going to revisit everything at CF (again) and see if I missed finding some setting that is not as it should be (including my DNS settings, though my DNS settings have not changed since before these problems started). I will also talk with my ISP and see if there is some permissions or other issue that might be affecting the CBBFP cookie being written. I welcome any other suggestions you may have.

I the mean time, if you could please look in to why ipify is no longer working as it should. It would be good to fix that to rule it out as a part of the problem.

Thanks! Eventually we will figure this out.

Hi @pcde

If cookies are set you can cross-check Browser > Dev Tools > Application > Cookies > site cookies if have aios_brute_force_secret_ cookie then cookie is set and you can corss check Expires at.

https://snipboard.io/LGtNlE.jpg

For IP detection

https://snipboard.io/hdD6z9.jpg

Ipv4, Ipv6 and coulfalre suggestions are based on below links. The actula IP detection is what you set in dropdown SERVER variable make sure it is correct and matches with https://whatismyipaddress.com/ at bottom it shows “Your IP address if using this setting: ” and it depends on the $_SERVER server variable.

https://api.ipify.org?format=json

https://api64.ipify.org?format=json

https://www.cloudflare.com/cdn-cgi/trace

Regards

Thanks for this info. I am working on it.

Quick question: Could the PHP version I am using have anything to do with this? I am using v8.2. Thx.

FYI: So far I’ve confirmed that the AIOS cookie is there and it has the correct expiration date, so that much is good to know. But it is still a big mystery why I’m being redirected. ipify is still showing a red failure message but the IP address in the dropdown is correct.

Hi,

No, php8.2 should not have any problem.

It is strange that aios_brute_force_secret_ cookies is set and it do not allow to load login page and defining below constant it allows.

define('AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION', true);

Please cross check the aiowps_permanent_block or wp_aiowps_login_lockdown table do not have your IP blocked some how.

OK… I think I’ve discovered something… I’m still verifying the fix but… as far as the ipify failure issue goes, I am pretty sure is was caused by the AdGuard ad blocker browser extension. I am thinking an extension filter update a while back maybe started blocking ipify? I disabled/removed the extension last night and cleared the Cloudflare cache and presto, no more ipify failure messages. CBBFP also started working again at the same time (but CBBFP had stopped working again by this morning).

My only uncertainty about this ipify fix is that today, on my other computers that still have AdGuard installed, ipify is also working. So maybe AdGuard is not the problem? Or perhaps there was another AdGuard filter update overnight that fixed it? IDK. I am observing and waiting to see if this fix sticks. I’ll keep you posted. (And I will check those two DB tables you mention. Thanks.)

Amazingly, at the moment the CBBFP is also working on all my computers. But this is not unusual for it to work again for a period of time after I disable it via wp-config and then re-enable it. So that fix is also TBD. We’ll see how long it lasts. But as of right now I have successfully logged on 3 different computers using 2 different browsers (Safari and Chrome).

Keep your fingers crossed.

PS – I spoke with my ISP last night for a loooong time and they confirmed that all my CF DNS settings are correct. Also that there was nothing in their logs that pointed to any sort of error. So at least that is eliminated as a possible cause. Cheers.

UPDATE: I have isolated the cause of the ipify “failure: error()” response specifically to the AdGuard Extension Privacy filter. I can turn the error on/off at will simply by activating or deactivating the Privacy filter. After doing excessive debugging however now the “IP address according to Cloudflare” responds correctly without error and only the two “IP address according to Ipify” responses fail. Also odd, this is now only happening on my MacBook Pro which is older so not running the latest OS, but all the apps are up to date. Anyways, something about Ipify and the Privacy filter and my MacBook don’t get along. This happens exactly the same in Safari, Firefox, and Chrome.

That’s all the energy I have for this particular issue. Maybe you and the folks at Ipify can sort the rest out.

And in other UPDATE news… I have the CBBFP working correctly on all computers. It’s been working for a few days now but I don’t know yet what exactly is/was at the root of the problem. I disabled Cloudflare completely and put the website in maintenance mode for the time being to protect it while CF is disabled. I am slowly adding back all my CF rules one at a time to see what might trigger the error again. Or if maybe taking the site out of maintenance mode is what triggers it (I doubt it, but who knows). So the fix is still a work in progress. I figure it will take about a week to go through reactivating everything and (hopefully) get a definitive answer.

That’s all the news for today…

OK… well, I have done everything I can think to do but unfortunately the CBBFP problem remains the same. I am at a loss to explain it. I have…

1. Disabled all plugins except AIOS and reverted to a default theme, disabled/cleared all caches, and disabled Cloudflare… all at the same time. No change.
2. Consulted with my IP/Hosting provider, checked all logs, looked for any errors (there were none), cleared all DNS and server caches… no change.

The CBBFP cookie is still being written correctly and has the correct expiry date. But as before, after activating the CFFBP feature it works correctly for a short time, but after that period of time, for whatever reason, the plugin seems to no longer be able to read the cookie and the error repeats. How much time CBBFP continues to work correctly after each on/off reset is different each time it is done. What determines that amount of time remains a mystery.

I can still bypass CBBFP via wp-config without issue. There were a few times during all my troubleshooting when I thought I might have affected something, but it turned out that after disabling CBBFP and then re-enableing it, for whatever reason it just kept working correctly for a little bit longer than usual before it once again stopped working in the same way.

TLDR; I still have no idea what is triggering CBBFP to stop working.

At this point my only remaining guesses are:

1. CBBFP makes a call to some external IP or AS# and I inadvertently have that IP/AS# blocked via CF and thus am blocking plugin access to the CBBFP cookie. Does CBBFP make any such external IP/AS# calls? I am not able to determine this via Cloudflare logs so must rely on you for this info. It is an easy fix if this external IP/AS# theory is correct.
2. I have no guess #2. I am at a loss to explain this. I have explored absolutely every possible thing I can think of and am capable of exploring.

I really hope you can help figure this out. I am beyond exhausted. Thx. I remain hopeful…

Hi @pcde,

No, CBBFP? feature do not required vistor IP it just check is admin area or login page trying to acccess then allow if ?{secret-word}=1 is set in browser location or cookie set.

It is strange that cookie is written proerply and valid and still redirects to 127.0.0.1 and the AIOS_DISABLE_COOKIE_BRUTE_FORCE_PREVENTION it allows to load the login page and then it works for a while more than 24 hrs.

Regards