iThemes Security causes 500 internal server error – invalid IP

  • I have had a 500 Internal Server error on my blog twice recently. Looking at the error log it was caused by an invalid IP address in .htaccess.

    Deleting the following lines from .htaccess fixed the issue:
    Require not ip 2001:41d0:0008:0996:0000:0000:0000:0000
    Deny from 2001:41d0:0008:0996:0000:0000:0000:0000

    This part, which has the same IP, doesn’t seem to cause issues:

    SetEnvIF REMOTE_ADDR “^2001:41d0:0?0?0?8:0?996:(0{0,4}:){0,3}(0{0,4})?$” DenyAccess
    SetEnvIF X-FORWARDED-FOR “^2001:41d0:0?0?0?8:0?996:(0{0,4}:){0,3}(0{0,4})?$” DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP “^2001:41d0:0?0?0?8:0?996:(0{0,4}:){0,3}(0{0,4})?$” DenyAccess

    This is all added in the iThemes Security section of .htaccess. How can I stop the 500 Internal Server error from happening again?

Viewing 13 replies - 1 through 13 (of 13 total)

  • @silentsal

    There doesn’t seem to be anything wrong with those lines.
    Look for any additional errors in the web server error_log.

    Also note that these .htaccess entries are added because that IP address was banned by the iTSec plugin. This means the IP address was added to the list of IPs banned in the Banned Users module.

    After manually deleting ALL ban rules lines in the .htaccess file, to prevent the issue from reoccurring, you should also remove the banned IP address(es) in the Banned Users module.
    If you don’t you run the risk of the ban rules for that same IPv6 address being added again to the .htaccess file…

    Thread Starter silentsal

    (@silentsal)

    @pronl Thanks for the reply!

    Weird… There weren’t any other errors. And since removing those lines resulted in the 500 error resolving it implies to me that the IP address caused the issue.

    Maybe it’s something to do with the fact it’s an IPv6 address? *scratches head*

    Thanks for the heads up re removing the IP address from the Banned Users module. I have now done that.

    Hopefully I won’t have any more problems.

    @silentsal

    Yes, it seems the web server is definately having a problem with the specified IPv6 address. Though it’s not clear whether it’s specific for this IP address or for IPv6 addresses in general …

    What is the Apache web server version you are using (and what server OS is it running on)?

    You may have to contact your hosting provider to get to the bottom of this.

    Thread Starter silentsal

    (@silentsal)

    @pronl

    It’s Hostgator shared hosting.

    As far as I can make out, the Apache version is 2.2.24 / 2.2.25

    OS is Linux CentOS 6

    Will contact Hostgator support if it happens again.

    @silentsal

    Ok, I see. Switching to Apache 2.4.x could be a step in the right direction.

    I did a quick test (using your failing IPv6 address) on Apache 2.4.18 and it’s no problemo there … ??

    For other obvious reasons as well I think it is certainly worth the time spend to contact Hostgator and explore the possibilities of switching to Apache 2.4.x

    Thread Starter silentsal

    (@silentsal)

    @pronl

    Thanks for testing it ??

    I doubt Hostgator will switch my sites to Apache 2.4.x for free. I guess that’s one of the pitfalls of shared hosting! :-/

    • This reply was modified 8 years, 1 month ago by silentsal.

    Just wanted to drop a quick “me too” here in the hopes the IThemes Security devs see it. Also hosting with the same shared hosting (so upgrades to newer versions of Apache probably not in the cards on a customer-by-customer basis).

    It looks like an IPv6 address got flagged via the plugin, it gets written to .htaccess, and then the older Apache doesn’t know what to do with the “Require not ip” stanzas that include the IPv6 address.

    Can I humbly request a setting that prevents IPv6 addresses from being captured as a banned used for just this use case? At the moment this means that it is possible to have the IThemes Security break an entire site if it bans an IPv6 host.

    Thanks!

    — dNb

    @dnb – Per the forum guidelines please don’t jump into the middle of another user’s topic; start your own instead:
    https://make.www.ads-software.com/support/handbook/forum-welcome/#post-in-the-best-place

    Also, posting a reply here does not “bump” this topic to the top of the list. If you want exposure for your issue post a new topic so it goes on the “No Replies” list.

    @bdbrown

    Sorry, so confused.

    I was confirming the previous person’s report and adding a few more details to it. I was not attempting to jump in the middle or raise its exposure, just wanted to provide more info to the developer.

    @dnb

    The iTSec plugin encloses the new Apache authorization directives in a Configuration Section Container like <IfModule mod_authz_core.c>…</IfModule>.

    So since the mod_authz_core.c module is non existant in Apache 2.2.x any directives enclosed in such container should normally be ignored.

    Still it doesn’t seem to like the IPv6 format …

    @dnb

    You could try and replace the IPv6 address with a compressed format.

    So (using the IPv6 address provided by the topic creator) instead of:

    Require not ip 2001:41d0:0008:0996:0000:0000:0000:0000
Deny from 2001:41d0:0008:0996:0000:0000:0000:0000

    Compress like this:

    Require not ip 2001:41d0:8:996::
Deny from 2001:41d0:8:996::

    Hi @pronl

    Thanks for your response. I think one that that may not have been clear from @silentsal ‘s original post and my followup was the IPv6 addresses were added automatically to the banned user list (and thus the .htaccess file) by the plugin (probably someone fell afoul of one of the other features like blocking if someone tries to use “admin”). I have no desire to add those addresses manually for the time being, so using the compact format while being a good idea, probably doesn’t address the problem for me. I’d prefer an option to simply drop the IPv6 banned host on the floor (until Hostgator upgrades its version of Apache).

    I agree that it is strange that the mod_authz_core.c test doesn’t cause Apache to skip that stanza.

    — dNb

    • This reply was modified 7 years, 11 months ago by dnb.

    (as an aside, if you look at the HTTP response from their servers, it identifies as Ngnix. I’m guessing they are using it to load balance or at least reverse proxy to their older Apache servers)

    • This reply was modified 7 years, 11 months ago by dnb.
Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘iThemes Security causes 500 internal server error – invalid IP’ is closed to new replies.