Banned users wildcard suddenly not accepted

Please empty the “Ban Hosts” box and then click on the “Save All Changes” button.

Now try and enter one of those wildcard addresses manually (no copy\paste) and click on the “Save All Changes” button.

dwinden

I don’t think it’s the same site that I reported the problem with. Until today all my iThemes sites allowed me to cut n paste the entire list (including wildcards) without any problem.

Now I just did as dwinden asked. I deleted all addresses from the box (just updated the plugin, I think it’s the new version that is now not accepting the cut n paste). I was able to get the single address, that I keyed into the box, accepted.

But when I again tried the entire list cut n paste, the wildcards were all rejected again.

It’s hard enough having to update my list across a number of sites so I won’t be keying them in one-by-one.

Is there no way to get back to having the list accepted with the new version?

I’ve been able to reproduce the issue even when entering the address manually. It looks like the issue will only reproduce in iTSec plugin 4.6.8

It seems that there have been some code changes in the validates_ip_address() function that causes this issue.

Still testing to determin which change broke the function.

dwinden

Follow the instructions below to fix this issue in iTSec 4.6.8:

– Make a safety copy of the following file:
wp-content/plugins/better-wp-security/core/class-itsec-lib.php
– edit the mentioned file and search for the line below:

public static function validates_ip_address ( $ip ) {

– Make sure the cursor is inside the validates_ip_address() function and then search for:

if ( ‘*’ === $part ) {

and replace it with:

if ( ‘*’ !== $part ) {

– repeat the previous step once more.

– Save the changed file ().

In short: replace in function validates_ip_address() the starting = char with ! char in “case 3” and “case default” code blocks, first if statement.

dwinden

still struggling, dwinden,

I searched for this (cut n pasted from your advice above)
public static function validates_ip_address ( $ip ) {

…but it can’t be found. This string in the file has a space before the (
public static function validates_ip_address( $ip ) {

I guessed that’s what you were pointing to so I changed as advised in both places. But now all my addresses are being rejected.

It says “There is a problem with an IP address in the white list:
[my IP] is not a valid address in the white list users box.”

So I searched and found both mentions of whitelist on the settings page. I both added/saved it then removed/saved to try to clear the first box and made sure the second was empty – no url at all.

This removed the warning I quoted above but still all url/s are rejected and they still show as red rejected after those two saves. My url is not in the Ban list. BTW before making the code changes, the new version of the plugin was only rejecting wildcards. It accepted the rest but now they are all rejected.

Why was this changed in the upgrade anyway? Was there a security problem? Is there any other way to have a Ban list that is shared across my sites?

So far, I have no banned users after the latest upgrade.

I’d like to permanently ban anyone who tries “admin” but at the moment the plugin only bans them temporarily; am I missing something, there?

I try to have the same settings on all my sites so it would be a very fine thing to be able to export and import the settings rather than take all the time required to set up each instance of the plugin… just wishing.

My apologies for the inconvenience of the typo …
Anyway using common sense it can be overcome which is what you did.

If only iThemes would properly test their code before releasing it …

The message you now get is not because of a bad ip address in the “Ban Hosts” box of the “Banned Users” metabox (which is the issue as initially reported in this topic), but it is displayed because there is an invalid ip address detected in the “Lockout White List” box of the “Global Settings” metabox. Simply correcting the invalid ip address in the “Lockout White List” box of the “Global Settings” metabox should fix the message.

That said there are to my knowledge 3 issues related to the “Ban Hosts” box of the “Banned Users” metabox (and who knows how many other issues introduced in 4.6.8):

– The known issue as introduced by the iTSec 4.6.8 release.
Basically wildcard addresses specified in the “Ban Hosts” box of the “Banned Users” metabox are all being reported as invalid ip adresses.
(Since both the “Lockout White List” box of the “Global Settings” metabox and the “Ban Hosts” box of the “Banned Users” metabox are using the same class function\method (validates_ip_address()) for validating ip adresses fixing the code in this single class function\method will solve the issue for both).

The messages displayed are (if at all):

120.24.64.* is not a valid address in the ban users box.
176.240.96.* is not a valid address in the ban users box.
183.60.244.* is not a valid address in the ban users box.

I’m confident the fix as described in this topic (if applied correctly) solves the issue.

– Then there is an issue that the error message of the first issue is only displaying half of the full message or no message at all. By the way this was already an issue before 4.6.8 being released.

The full message displayed should be:

Note that the ban users feature has been disabled until the following errors are corrected:

120.24.64.* is not a valid address in the ban users box.
176.240.96.* is not a valid address in the ban users box.
183.60.244.* is not a valid address in the ban users box.

The fix for this issue can be found in this topic:

https://www.ads-software.com/support/topic/failure-to-write-banned-users-to-htaccess

– The third issue is that when an invalid ip address is specified in the “Lockout White List” box of the “Global Settings” metabox all wildcard addresses specified in the “Ban Hosts” box of the “Banned Users” metabox will be incorrectly reported as white listed ip adresses.
This too was already an issue before 4.6.8 was released.

The messages displayed are:

There is a problem with an IP address in the white list:

111.111.111-111 is not a valid address in the white list users box.

Note that the ban users feature has been disabled until the following errors are corrected:

120.24.64.* is not a valid address as it has been white listed.
50.63.*.* is not a valid address as it has been white listed.
54.*.*.* is not a valid address as it has been white listed.

There is a fix for the first 2 issues. I’m still looking into the third issue.
I’m not an iThemes employee so I’m sorry I cannot answer all of your questions.

However I do have an answer to this question:

I’d like to permanently ban anyone who tries “admin” but at the moment the plugin only bans them temporarily; am I missing something, there?

Reading my post in this topic should help:

https://www.ads-software.com/support/topic/auto-ban-admin-user-not-working

Then finally a small request. To make things easier for ourselves please try and open a seperate topic for every issue.

dwinden

Oops …
It turns out there are 3 occurrences of the second search string in the validates_ip_address() class function\method:

if ( ‘*’ === $part ) {

So following my previous fix instructions for the issue as reported in this topic you probably did not fix it properly.
My apologies for the inconvenience.

So there are 3 occurrences of the search string.
Only the 2nd and 3rd should be changed.
Skip the first 1.

In short: replace in function validates_ip_address() the starting = char with ! char in “case 3” and “case default” code blocks, first if statement.
Do not change the string in “case 2” code block.

Phew …

dwinden

this is doing my head in, dwinden. BTW I am absolutely not putting anything on you – I really appreciate all the effort you are making to help me. Very much appreciated. And I will open new topics – thank you for the headsup.

Today, I replaced the changed file with the backup and then opened that to do the new edits. BUT Notepad++ could only find one instance when yesterday it found at least 2!! I again tried a shorter search string with no luck – it could only find the instance on line 880. This is crazy.

I tried a different site and again it only sees the one on line 880. As far as I can tell, I’m doing exactly what I did yesterday.

I copied the file into NoteTab and tried there, only 1 instance – line 880

https://dl.dropboxusercontent.com/u/13053940/replace-string.png

I am doing something obviously wrong but it’s not OBVIOUS to me. Help.

Hi,
I had same problem 8 month ago:
https://www.ads-software.com/support/topic/bug-in-settings-ban-host-field-with-wilcards-ip?replies=10#post-6604213
it has bee resolved, but with last 2 updates, it has came again…

So i have go back to version 4.6.4

best regards

Lo?c

@strategia

Attached the fixed 4.6.8 file:

https://orcl0610.home.xs4all.nl/class-itsec-lib.zip

Download the fixed file, since it is a FAKE zip file (to facilitate the download of a .php file) rename it to class-itsec-lib.php after downloading it. Then it’s ready to be copied to the wp-content/plugins/better-wp-security/core folder (overwriting the existing file).

dwinden

@dwinden
Hi,
Does this file resolves this problem totally ?
Lo

Let me add a post that will TOTALLY document the issue as reported in THIS topic. The issue was found to be introduced in iTSec plugin 4.6.8
This way there cannot be any misunderstanding about it.

Problem description:
Previously valid wildcard addresses entered into:

– the “Lockout White List” box of the “Global Settings” metabox

– the “Ban Hosts” box of the “Banned Users” metabox

suddenly start generating errors in the latest iTSec 4.6.8 plugin when attempting to save settings by clicking on the “Save All Changes” button. Settings are subsequently not saved.
Simply put: ip addresses with wildcard(s) are no longer accepted.

For ANY wildcard addresses in the “Lockout White List” box of the “Global Settings” metabox the following message is displayed:

There is a problem with an IP address in the white list:

120.24.64.* is not a valid address in the white list users box.

For ANY wildcard addresses in the “Ban Hosts” box of the “Banned Users” metabox the following message is displayed:

176.240.96.* is not a valid address in the ban users box.

So if you have ANY wildcard addresses entered into BOTH boxes you’ll get both errors …

In addition to the error messages being displayed, in case of the “Ban Hosts” box in the “Banned Users” metabox the “Ban Users” checkbox is also disabled.

The (hopefully temporary) fix is to replace the wp-content/plugins/better-wp-security/core/class-itsec-lib.php file with a fixed version which can be downloaded from
here.
(Rename the downloaded and FAKE .zip file to .php and then copy it to the right location).

There is another minor\old issue (it still exists in the latest release but it was NOT introduced in iTSec 4.6.8) which is described in this topic (including a fix):

https://www.ads-software.com/support/topic/failure-to-write-banned-users-to-htaccess

dwinden

@dwinden

You are a star. Thank you. So far I’ve only done the one site but that one accepted my cut n paste list with wildcards.

Can’ tell you how much I appreciate the work and help you have given. I wish you were running ithemes so we didn’t have all this crazy time wasting.

Now to do all the others ??

@strategia

Happy to hear you finally managed to get this issue under control.

Please add [BUG!-4.6.8] at the start of this topic’s title so iThemes will hopefully notice and fix it.

dwinden

Wow, this was a lifesaver for me. Thanks, dwinden.