Site Lockout Notification

I have been getting these, too, and it’s been locking out our own server’s IP addresses. Two sites were locked down with 403 errors yesterday; we finally had to unblock them through the .htaccess files.

This is now happening on another of our sites, is there any answer for why this is happening?

@enspire

Are the websites which are exhibiting this lockout behavior, websites where you have just newly installed and configured the iTSec plugin or has the iTSec plugin been running for a while on those websites ?

dwinden

@dwinden

Have had iTec on for a while and have regularly updated. Have it running on all our sites but not had any issues with those yet!

I have had a filter on our email system just to discard these messages so not to clog up my inbox. Yesterday I turned the filter off and fingers crossed they seem to have stopped for now.

@enspire

Ok, I see.

Anyway these lockout emails are the result of a brute force attack.
Basically the iTSec plugin Brute Force Protection feature is doing its work.

Since the email mentions that:

The host has been locked out permanently.

You should see a list of IP addresses in the Ban Hosts setting under the Banned Users section of the settings page. Note it will only show up if the Enable ban users setting is enabled.

For every IP address listed you should see a similar section as below in the .htaccess file:

# Ban Hosts - Security > Settings > Banned Users
SetEnvIF REMOTE_ADDR "^192\.99\.36\.79$" DenyAccess
SetEnvIF X-FORWARDED-FOR "^192\.99\.36\.79$" DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP "^192\.99\.36\.79$" DenyAccess

<IfModule mod_authz_core.c>
	<RequireAll>
		Require all granted
		Require not env DenyAccess
		Require not ip 192.99.36.79
	</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
	Order allow,deny
	Allow from all
	Deny from env=DenyAccess
	Deny from 192.99.36.79
</IfModule>

If all of the above checks out you should be ok.

dwinden

With regards to htaccess our server is a windows iis system and I believe that htaccess files don’t work and using web.config instead, is that right?

Gavin

@gavin

Ah right. Thats probably why it keeps locking out the same IP address over and over again …
The IP address is never banned while using IIS web server.

Please note the iTSec plugin does not support the IIS web server.
Though you could manually add for IIS modified IP ban entries to the web.config file I guess …

The only supported web servers are:

– Apache
– Nginx
– LiteSpeed

So I think this puppy can be marked as ‘resolved’.

dwinden

Thanks for your help, fingers crossed that it may have just been a glitch.

@enspire

It wasn’t a glitch. The iTSec plugin automatic permanently ban IP functionality does not get effectuated on IIS web server.
Only temporary IP lockouts will function.

Please be so kind to mark this topic as ‘resolved’.

dwinden

So is it better to turn that function off then if not going to work?

@enspire

Well the temporary IP lockouts do counteract the brute force attack to some degree. But because the IPs are not automatically & permanently banned on IIS the Brute Force Protection feature is not fully effective as it should be.

So no I would not disable the Brute Force Protection. But you could disable the Blacklist Repeat Offender setting in the Global Settings. This is the setting that governs the automatic & permanent IP bans.
Also take a look at the list of IP addresses in the Banned Users section, Enable ban users, Ban Hosts. I’m not 100% sure (for IIS) but I think there should be a list of bad IPs here. You can remove them all and then disable the Enable ban users setting (unless you have also blacklisted User Agents).

You could use the list of bad IPs to manually block them some way in IIS.

Alternatively you could fully disable Brute Force Protection and Blacklist Repeat Offender and then replace this functionality with another brute force defensive plugin that does fully support/function on IIS.

dwinden

I’m going through the same scenario with my site. The banned IP’s do not work on IIS. I wanted to ask if you know where the whitelist gets stored? I can see where the blacklist gets serialized and stored in the database, but cannot find the whitelist. I did find the itsec_temp_whitelist_ip option in the _options table.

Does the whitelist only get added to an htaccess file? I’m working on a custom ithemes additional class which queries the blacklisted and whitelisted ips, so I am curious where the whitelist gets stored.

@caseyctg

Since this topic is marked as resolved please open a new topic.
You can always link towards this topic from the new topic.
I’ll be more than happy to answer your question in its own topic.

dwinden

Thanks Dwinden, I actually found it in the options table under the itsec_global option_name. I’ve finished a more aggressive lockout plugin that works with IIS.

@caseyctg

Ok, great.
An addon to the iTSec plugin ?

dwinden