As of BPS Pro 8.3 two new Security Log Fields have been added to Security Logging: Event Code and Solution. In Phase 1 of Security Log Solution Targeting the primary focus is on detecting possible Plugin Skip/Bypass rules, Plugin Firewall Whitelist Rules (BPS Pro only) and UAEG Whitelist Rules (BPS Pro only) issues that need/require a one-time solution. Since 99.99% of the Security Log entries are blocked/forbidden hackers, spammers, scrapers, harvesters, miners, bad bots, etc. then the Security Log checking conditions can and should be streamlined/performance optimized by only looking at pattern matches in a broad scope.
Important Notes:
– The Security Logging code has been significantly improved in BPS Pro 8.3. Logging is more streamlined, performance optimized & faster than in previous BPS versions, even with the new general conditional pattern checking code added.
– The conditional Security Logging pattern check will only do a general pattern check and not attempt to determine 100% with additional checks if a log entry is definitely a Plugin Skip/Bypass rule vs a hacker randomly probing for a plugin that has known vulnerabilities. Adding additional checks such as that would cause unnecessary website/Server resource drain/slowness.
– Phase 2 Security Log Solution Targeting will be refined based on results of Phase 1 Live implementation.
– The Security Log searched by Event Code. Phase 2 development is looking at using the Event Codes in a troubleshooting tool that will extract log entries and automatically generate the solution. Since this is a user initiated processing tool in the protected backend of a site it does not have the potentional of being abused if this was automated on the frontend of the site by the Security Logging mechanisms/processing.
– There are 4 Primary One-time events: Plugin Skip/Bypass Rules, wp-admin Skip/Bypass Rules, Plugin Firewall Whitelist Rules & UAEG Whitelist Rules are one-time events that are permanently fixed by creating a whitelist rule. The ratio of known issues is somewhere in the neighborhood of .2% of all WordPress Plugins total or 60 out of 30,000 WordPress Plugins require some sort of whitelist rule.
Event Codes:
BFHS: Blocked/Forbidden Hacker or Spammer (approximately 99.99% of all log entries will have this Event Code)
HPR: Hacker Probe/Recon
PSBR: Plugin Skip/Bypass Rule
WPADMIN-SBR: wp-admin Skip/Bypass Rule
PFWR: Plugin Firewall Whitelist Rule (BPS Pro only)
UAEGWR: Uploads Anti-Exploit Guard Whitelist Rule (BPS Pro only)
Examples Logged Fields/Scenarios:
Event Code: PFWR-PSBR-HPR (3 relevant fields to check & 3 possible causes)
SERVER_PROTOCOL: HTTP/1.1 REQUEST_URI: /wp-content/plugins/xyz-plugin/js/xyz-plugin-script.js HTTP_USER_AGENT: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.8.36217; WOW64; en-US)
The Event Code indicates this could either be a random hacker recon/probe or Plugin Skip/Bypass rule that needs to be created or a Plugin Firewall whitelist rule (BPS Pro only) that needs to be created.
Solution: If the plugin is actually installed/exists & the Server Protocol is HTTP/1.1 and not HTTP/1.0 and the User Agent is not blank/empty then either a Plugin Skip/Bypass rule needs to be created or a Plugin Firewall whitelist rule (BPS Pro only) needs to be created. If the Server Protocol is HTTP/1.0 or the User Agent is blank then the odds are very high that this is a random hacker recon/probe. If the plugin is NOT actually installed on the website then this is a 100% confirmed random hacker recon/probe. Searching the Forum will produce any documented solutions for Plugin Skip/Bypass rules by searching using the plugin’s name as the search word/term. For Plugin Firewall whitelist rules see this Forum Topic link: http://forum.ait-pro.com/forums/topic/plugin-firewall-read-me-first-troubleshooting/
Event Code: WPADMIN-SBR (2 relevant fields to check – only 1 possible cause and solution)
HTTP_REFERER: http://[domain name removed for privacy]/wp-admin/post.php?post=287&action=edit REQUEST_URI: /wp-content/plugins/sublimevideo-official/tinymce/sv-insert.php?%27webkitAllowFullScreen=%271 HTTP_REFERER: http://[domain name removed for privacy]/2014/01/02/fallouts-classic-catalogue-removed-from-gog-due-to-rights-issue/ REQUEST_URI: /blog/wp-admin/curate-this.php?u=http%3A%5C%2F%5C%2F[domain name removed for privacy]%5C%2F2014%5C%2F01%5C%2F02%5C%2Ffallouts-classic-catalogue-removed-from-gog-due-to-rights-issue%5C%2F&t=Fallout%27s%20classic%20catalogue%20removed%20from%20GOG%20due%20to%20rights%20issue%20%7C%20PC%20Gamer&s=&v=4 HTTP_REFERER: http://[domain name removed for privacy]/wp-admin/admin.php?page=formidable-settings REQUEST_URI: /wp-admin/index.php?plugin=formidable&controller=settings&frm_action=process-form&action=process-form&_wpnonce=6b6ef1c65d
Solution: There are 2 relevant fields to check for Event Code: WPADMIN-SBR.. The HTTP_REFERER and REQUEST_URI logging fields. If the Referer or Request URI has /wp-admin/ in the path then these are things that are being blocked by BPS in the wp-admin .htaccess file and a Skip/Bypass rule needs to be created for the wp-admin .htaccess file by adding it to BPS Custom Code. Typically either a wp-admin file needs to be whitelisted in the Skip/Bypass rule or a Query String needs to be whitelisted. Searching the Forum will produce any documented solutions for wp-admin Skip/Bypass rules by searching using the plugin’s name as the search word/term.
Event Code: UAEGWR-HPR (1 relevant field to check – 2 possible causes)
REQUEST_URI: /wp-content/uploads/avada.js
Solution: There is 1 relevant field to check for Event Code: UAEGWR-HPR. The REQUEST_URI logging field. Either a plugin or theme is storing and calling/requesting a .js, .swf or other file type from the WordPress /uploads folder and it is being blocked by BPS or this is a random hacker probe/recon. If the file shown in the Request URI does not actually exist on the website then this is a 100% confirmed random hacker probe/recon. For UAEG whitelist rules see this Forum Topic link: http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/