Eli
Forum Replies Created
-
You can disable the protection for user enumeration on the Firewall Options page in your wp-admin.
Yes, that 55 second timeout is set in the plugin code and for good reason. You would not want to increase that timeout limit at all and if you did it would not extend the scan at all, it would actually just slow the scan down.
If you are interested in a more technical explanation then here is how it works. The complete scan process is started in your browser window and this parent process is responsible for overseeing the scan progress. each step in the whole scan process is carried out be a child process that is started and monitored by the parent window. I am using PHP function set_time_limit to make sure that each of these individual scan jobs does not get hung up or lost by the parent process (as might happen if I were to try to scan your whole server at once). None of these individual scan jobs should take more that 15 second and usually are done in under 5 seconds, so if any of them are actually timing out at 55 second and have not returned any response to the parent process within 60 seconds then something went wrong with that child process and that part of the job is marked as incomplete and re-queued to be attempted again at the end of the scan. Under normal conditions you should see the progress bar jump forward a little bit every few seconds, and if it hangs on one or two folders for a full minute every once in a while then it should still be ok in the end, it just might take a little longer. however, if the progress bar is only updated aver 60 second and it’s moving so slowly that it looks like it will take hours to complete then there is definitely something wrong with the server and the scan is not likely to successfully complete at all.
Please let me know if that explanation helps at all, and certainly let me know more about your situation if you feel that the scan is not progressing as it should. A screenshot of the scan progress is usually very helpful if something doesn’t look right. You can also contact me directly if you want to provide and sensitive or personal info that you would rather not post on this public forum.
eli AT gotmls DOT net
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Server error connectionSorry for the inconvenience. My main server was down for about 5 hours this morning and I only now figured out that my fail-over server is not fully configured correctly to take over the definition update service. The main server has now been restored and all services should be functioning normal once again.
This incident has also prompted me to review my fail-over server to ensure that I will have a viable alternative in case this kind of outage occurs again. Thanks for your patience and understanding, and thanks for reporting this issue.
- This reply was modified 1 year, 1 month ago by Eli.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] WordPress trouble noticeThanks for reporting this issue. Suppressing notices is a good solution, but I will fix the cause of this issue so that it will not come up again. Give me a day or two to finalize the changes for this next plugin update and I will release it with this issue resolved.
The other variant from this thread that were sent to me were added to my definition update. Your new variant is probably different in some significant way that makes it undetectable by most current malware definitions. Can you please send me a sample of the malicious code that you found on your site so that I can add your new variant to my definition updates?
You can email code samples or infected database backups directly to me:
eli AT gotmls DOT net
Thank you so much for reporting this False Positive to me. The code did match a few markers that were recognized in a malicious infection but I could tell that this file was not intended to be a threat and did not match the bigger picture of the original threat the this definition was created to find. So I have just update the definition of this threat to exclude the pattern found in this file.
Please download the latest definition updates and confirm that this file is no longer identified as a Known Threat by my plugin.
Forum: Plugins
In reply to: [Anti-Malware Security and Brute-Force Firewall] Question for EliThanks for checking in. I’m sorry to say that I am not much closer to having a BETA version available. The basic scanner is working fine on my own servers but it is not yet secure enough for me to release onto other platforms. I have had little time to work on that side of the new code as other pressing matters have taken precedence. I should be back on track soon but it will likely be a few more months until I have an update for you. Sorry again for the delay, I hope you can understand and appreciate your patience during this difficult time.
Your login page is secured using SSL with the address beginning with HTTPS:// but the form on that page submits your login to the unsecured URL starting with HTTP:// which is why you are getting that security warning in your browser, and also why there is no session persisting between the HTTPS version of your site and the HTTP version. That is why my login protection if blocking this login attempt. When I Inspected the HTML form on that page and manually updated the URL to use HTTPS the form then worked properly for my and the only error I got was that I was using the wrong username or password (because, of course, I don’t know your username or password ; – )
You may need to update your SiteURL and HomeURL in your database to use your secure URL so that the login form posts your login to the secured URL.
Please let me know if you need any more help with this.
Oh, Just saw your last post here. I think I understand. You might be blogging about the /etc/shadow file, and that might be bad if that path was found in a hidden meta field all by itself, but because you are talking about it in the context of a paragraph of text it should be ok, right?
If this is the case and I am understanding the situation correctly then I certainly see your point and I will look for a solution to ignore that type of usage so as to avoid false positives like this one.
What about that image path with the ../ in it was that put there by a specific plugin or what?
DING! DING! DING! You found it! Thanks so much for sticking with it and finding the cause. I know your were about to give up and I personally really wanted to find out what the firewall was catching (mostly for my own peace of mind TBH).
Anyway, it is certainly that image path that is getting flagged by the firewall. Is there any reason why that field needs to have the ../ in the path and can’t just be a directly path to the image?
First, I don’t see how it could be caused by Cloudflare Proxies unless they are inserting a variable with a path that contains a directory transversal.
Slight correction here: disabling the Transversal module would not create a security risk, it would only stop blocking variables passed with Directory Transversal paths in them, which is only a problem if you have added something to your WordPress site that opens up a security hole creating that risk you are worried about. To be clear, if you don’t have any code that could process an insecure path in the first place then you don’t need this protection. I’ll admit though that this protection is generally important because most people add a lot plugins and code that they don’t complete know inside and out and so they cannot be sure that they have not opened up some kind of security hole. That’s why it’s nice to have a firewall watching your back.
Why do you feel that it’s not correct to be redirecting attacks to my safe-load URL? I have done this because this type of redirect diverts the server load away from your server which is a critical feature of the Brute-Force Protection and is the reason why it not only prevents bots from guessing your password but also prevents a flood of bad login attempts from causing a DoS attack to your server.
If you cannot find any directory transversal fields on your Post Form then would you be willing to capture the HTML code rendered in your browser’s Inspector before you submit a test Post that you know will be blocked and then send me that HTML in a direct email so that I can test it and debug the firewall from my end?
eli AT gotmls DOT net
You can turn off directory transversal blocking on the firewall options page in your wp-admin, however it might be wise to investigate which plugin or code on your website has added hidden fields.or values to your post forms that contain these directory transversal strings because this code could lead to a security issue on your website that you may not be aware of.
when you’re on the edit post page but before you submit the form which is being blocked you can inspect the elements on the page in search for any fields on that form that might contain “../” in the string values.
Thanks for your interest. Yes, I am still working on this feature. I am sorry that it is taking so long to get a scheduled scan option available but there have been quite a lot of difficulties in making something so automated that will work with the current scan engine and I am currently a one-man-show. For along time I was trying to rework the code in the plugin to make a scheduling agent possible but this was not going to be easy to do. So now I have switched gears and I have designed a whole new scan engine that will integrate with a few different way to automate scheduled scans. I am currently testing this new scanner in a controlled environment, then I will need to add the appropriate security and access controls to make it safe for use in the wild so that it can be tested on other hosting platforms. That is when I will need BETA testers and I would be happy to add you to the growing list of people who are interested if you can contact me directly via email. I had planned on having it ready for BETA testing in January but given the slow progress over the holidays and some other unforeseen changes in my personal life I am now looking at pushing that deadline out a few months to give myself more time to make sure the security is bulletproof before letting others test it.
Please contact me directly for further details and to be included in my list of BETA testers.
eli AT gotmls DOT net
You can hover over each file in the list of skipped files to see why it was skipped. If it is not on the list of standard file extensions to be skipped but it was skipped anyway then my guess would be that it was a 0 byte file, which is skipped because an empty file cannot contain malicious code 😉
My plugin offers various types f protection which is implemented in various ways, so the method for whitelisting would depend on the service being protected.
For example, the Brute-Force protection is included on the first line of your wp-config.php file when active, so the whitelisted IPs can be added to the array condition on that line if you want to exclude them from that protection. But I cannot think of a reason why you would need to or want to exclude multiple IPs form this protection, the default IP exclusion is meant to be a failsafe for you own IP in case of a lockout condition caused by an unexpected conflict.
A more common exception might be the XMLRPC Block which is optionally added to your .htaccess file when activated. For this you can simply add your desired IP addresses to the code block in that files method using the “allow from” and “require IP” statements that are already there.
If you need more help or have specific requirements that you are trying to allow then please write me back with specific examples or more information about your use of these whitelisted IPs so that I can provide a more specific solution.