user blocked but not in blocked ip list

[ebohatch]

I have a client that I put this component on her website. Recently she has gotten the message that her IP was blocked. If I disable the plugin she can access it. When I checked the blocked IP list her IP is not on that list. I added her IP to the whitelist and it still does not work. The only way to get her working again is to leave the plugin disabled. Also while she was working from home on her laptop it also blocked access to the site?? I currently have her DNS routing through Incapsula to block DDOS and miscellaneous others.

[codeling]

Whitelisting should take precedence over any block. Are you sure that the actual IP this client was using was entered?

Have you checked the bfstop log file? It should tell why that particular client was blocked if you set your loglevel to "Detailed Information" (see FAQ: https://github.com/codeling/bfstop/wiki/FAQ#wiki-how-do-i-turn-on-logging).

This might also come from the client using a Proxy server or VPN. That could lead to a different IP being recognized on server side.

[ebohatch]

Yeah the outfit Incapsula may be what is causing the IP to change but why is that not in the blocked IP list?? It is after the fact now but if I turn on the log I should be able to get the IP that is being blocked right? One suggestion, when the message/page is displayed that one's IP is blocked would be nice to also display the IP itself.

[codeling]

It is after the fact now but if I turn on the log I should be able to get the IP that is being blocked right?

Exactly. That is, when you know when exactly the block happened. Otherwise it might be hard to map a concrete block to a specific attempt.

One suggestion, when the message/page is displayed that one's IP is blocked would be nice to also display the IP itself.

Sounds good, I'll consider it for one of the next versions.

[codeling]

Yeah the outfit Incapsula may be what is causing the IP to change but why is that not in the blocked IP list?

Not sure what an outfit encapsula is - from their webpage I guess it's some kind of security appliance you just put in front of your webserver, right? Such an appliance would only be causing it to be blocked by bfstop if it modifies the client IP which the server sees. If it doesn't (which I think), it won't have an effect on bfstop's operation.

It still could be caused by a proxy (or VPN) used on client side (maybe you could ask your client about that)? You would see the proxy (or the gateway of the VPN) as blocked IP.

[ebohatch]

Encapsula allows one to block countries from accessing the website, it does seem to fail at that. I have had a user from Russia get in when all IP's from Russia should have been blocked. I have stopped using them and reset my nameservers back to my webhost. I had one user being blocked, I went to the admin component side and set that user to unblocked. I also added their IP to the whitelist. They were still being blocked. So I used phpmyadmin and removed the IP from the blocked list and the whitelist and it seems to work fine now. But this morning I tried to login to check on some stuff and it blocked my IP as having too many failed login attempts in a certain period of time. I logged in yesterday and did not have a single failed attempt indicated. I went in the mysql table and deleted my Ip from the blocked list. Now when I attempted to login it tells me my user/password are incorrect. Had to log in as another SU and reset my password?? It was as if my password got changed?? Is this how it functions?

[codeling]

But this morning I tried to login to check on some stuff and it blocked my IP as having too many failed login attempts in a certain period of time. I logged in yesterday and did not have a single failed attempt indicated. I went in the mysql table and deleted my Ip from the blocked list. Now when I attempted to login it tells me my user/password are incorrect. Had to log in as another SU and reset my password?? It was as if my password got changed?? Is this how it functions?

As far as I can tell, the password change was not through bfstop, the plugin does not contain any functionality in that direction. One possibility is that you were hacked in the meantime and this attacker changed your password?

Did you check the blocked list for when that block occured? Could you also check your failed login attempts list for the corresponding attempts?

Do you have a logfile available from that time? It would definitely be very interesting to know what was going on there.

I had one user being blocked, I went to the admin component side and set that user to unblocked. I also added their IP to the whitelist. They were still being blocked. So I used phpmyadmin and removed the IP from the blocked list and the whitelist and it seems to work fine now.

Is that reproducible? Actually, the whitelist should take precedence over anything else, so at the moment I have no idea how that could happen.

[ebohatch]

I just looked at the failed attempt log file for my own IP (184.20.216.147) there were only 4 items in the file, 2 dated yesterday 3/5 and 2 dated today 3/6. I can see that we seem to MANY log in attempts with the user name admin, and the site name thecity1, I had already removed the user: admin a while back, there never was one for user: thecity1. If it was possible for a hacker to get in, how would I track it down?

[codeling]

I just looked at the failed attempt log file for my own IP (184.20.216.147) there were only 4 items in the file, 2 dated yesterday 3/5 and 2 dated today 3/6.

So there were failed attempts (by you?). And I guess the number of allowed failed attempts is set to 4?

I can see that we seem to MANY log in attempts with the user name admin, and the site name thecity1, I had already removed the user: admin a while back, there never was one for user: thecity1.

Of course, the default admin user would be the primary target of such attempts; many sites still have such a user, and he usually has administrative rights. As for thecity1, I have also seen some weird usernames being used; some attack scripts out there seem to take arbitrary bits of domain name and/or site content and try them as user name. Does the domain your site is available under maybe contain thecity1?

If it was possible for a hacker to get in, how would I track it down?

That's a tricky question. If somebody brute-forced your account, you should see some attempts for your username (are there any such?). But if somebody guessed your password or e.g. hacked your mail account first and used the password reset functionality, there would be no way for the plugin to notice anything

[codeling]

Is there any new information on this, can you answer the questions stated above? Were those four failed login attempts you've seen in the logfile from you? Did you manage to try the whitelisting again?

Without any more concrete information, I'll have to close this issue as not being reproducible.

[codeling]

I have put up a new (BETA!) version with some improvements, for example the ability to print the client IP address along with the block message (get it here: https://github.com/codeling/pkg_bfstop/raw/1.3.0beta1/pkg_bfstop.zip).

Let me know if that helps.

[codeling]

Final version 1.3.0 is available now - it can provide the IP address in the blocked message (if enabled in the plugin settings). Would be great if you could test again with that version!.

[codeling]

Is this still an issue? Did the IP address in the blocked message help resolve it?

[ebohatch]

close this, appears to be working fine now.