Login attempts from blocked countries get past the plugin

  • We run both iQ Block Country and iThemes Security to protect our site. Earlier today I got a notification from iThemes that IP 37.48.124.116 had been blocked from logging in.

    That IP is in the Netherlands. When I ask iQ Block Country to check it, it correctly reports that its from the Netherlands which I have configured to be blocked from backend access. Checking the Logging tab I do not see that IP listed in the block list. I see other IPs from dates/times before that blocked attempt but not that one.

    How is it that iQ Block Country will block did not block an IP that it clearly can identify/map? Is that due to some random plug-in calling by WordPress so iQ Block Country gets called first sometimes and 2nd other times?

    https://www.ads-software.com/plugins/iq-block-country/

Viewing 15 replies - 1 through 15 (of 19 total)
  • Plugin Author Pascal

    (@iqpascal)

    Can you access the raw log files of your webserver?

    Thread Starter plasmarobotics2403

    (@plasmarobotics2403)

    I can. There is only one log record for that IP:

    37.48.124.116 – – [04/Sep/2015:08:42:56 -0400] “POST /wp-login.php HTTP/1.1” 403 229 “https://www.plasmarobotics.org/wp-login.php” “Parser::Template::Auto=CODE(0xace0590)”

    I also checked the iqblock_logging table for that IP and find 0 hits.

    Plugin Author Pascal

    (@iqpascal)

    And was that around the same time you got a notification from iThemes?

    In that case the visit was blocked (with a 403 code) but for some reason it was not logged.

    Thread Starter plasmarobotics2403

    (@plasmarobotics2403)

    Yes, that was when I got the iThemes notification.

    When I check the iQ Block Country log I do not see anything logged for Sep-4. The sorted log shows only the day before and the day after:

    2015-09-03 00:22:06 185.30.27.164 GB /wp-login.php B
    2015-09-05 00:18:56 207.35.85.163 CA /wp-login.php B

    I just checked the CGI error log and it shows a bunch of errors reported for iQ Block Country for those dates. They are all the same:

    20150905T060501: news.plasmarobotics.org/wp-login.php
    PHP Warning: Cannot modify header information – headers already sent by (output started at /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-login.php:61) in /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-content/plugins/iq-block-country/libs/blockcountry-checks.php on line 291
    PHP Warning: Cannot modify header information – headers already sent by (output started at /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-login.php:61) in /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-content/plugins/iq-b

    Thread Starter plasmarobotics2403

    (@plasmarobotics2403)

    I just thought to check the CGI error log and I find a bunch of errors logged for iQ Block Country around that date:

    20150903T032206: plasmarobotics.org/wp-login.php
    PHP Warning: Cannot modify header information – headers already sent by (output started at /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-login.php:61) in /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-content/plugins/iq-block-country/libs/blockcountry-checks.php on line 268
    PHP Warning: Cannot modify header information – headers already sent by (output started at /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-login.php:61) in /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-content/plugins/iq-b

    20150905T060501: news.plasmarobotics.org/wp-login.php
    PHP Warning: Cannot modify header information – headers already sent by (output started at /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-login.php:61) in /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-content/plugins/iq-block-country/libs/blockcountry-checks.php on line 291
    PHP Warning: Cannot modify header information – headers already sent by (output started at /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-login.php:61) in /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-content/plugins/iq-b
    20150906T034250: plasmarobotics.org/wp-login.php
    PHP Warning: Cannot modify header information – headers already sent by (output started at /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-login.php:61) in /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-content/plugins/iq-block-country/libs/blockcountry-checks.php on line 291
    PHP Warning: Cannot modify header information – headers already sent by (output started at /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-login.php:61) in /hermes/bosnaweb08a/b396/ipg.plasmaroboticsorg/wp-content/plugins/iq-b

    Plugin Author Pascal

    (@iqpascal)

    From the FAQ:

    I get “Cannot modify header information – headers already sent” errors

    This is possible if another plugin or your template sends out header information before this plugin does. You can deactivate and reactivate this plugin, it will try to load as the first plugin upon activation.

    If this does not help you out deselect “Send headers when user is blocked”. This will no longer send headers but only display the block message. This however will mess up your website if you use caching software for your website.

    Thread Starter plasmarobotics2403

    (@plasmarobotics2403)

    From your reply it sounds as if WordPress will call plugins in the reverse order they are activated. iQ Block Country was the last one added and activated. I did as you suggested and deactivated and reactivated it to see if it fixes the “Cannot modify header information” issue. If not then I will try the other option. (We do not use a CDN so we do not have any caching to worry about.)

    In the mean time I am seeing a LOT of blocks in iThemes but only a few in the iQ Block Country log. Is that because if iThemes blocks the access then iQ Block Country does not even get a chance to block it (and visa versa) or should I see log entries from both plugins when someone from a banned country attempts to log in as me?

    Plugin Author Pascal

    (@iqpascal)

    I have tested this with iThemes in my own setup. The request is also handled by iThemes but is (also) blocked by iQ Block Country in my case.

    They are both logged in iQ Block Country as well as in iThemes. But iThemes logs 1 login attempts 6 times in my case.

    Thread Starter plasmarobotics2403

    (@plasmarobotics2403)

    Duplicate log entries do not concern me. I expect them since I run 2 security plugins. What does concern me is the lack of at least 1 matching entry for any IP that meets the security criteria from each plugin.

    I updated to iThemes 5.0.1 last night and waited all day to analyze the results. Tonight I compared the logs from both plugins. After removing the US IP addresses from the iThemes log here is what I see:

    iThemes:
    2015-09-16 14:41:16 217.66.106.211 Ukraine
    2015-09-16 13:46:39 149.202.42.188 France
    2015-09-16 13:46:20 85.10.210.199 Germany
    2015-09-16 02:37:51 185.100.84.82 Romania

    iQBC:
    2015-09-16 14:41:16 217.66.106.211 Ukraine
    2015-09-16 06:16:56 37.59.100.133 France

    The first IP they both logged. After that iThemes logged 3 IPs that iQBC did not and iQBC logged 1 IP that iThemes did not.

    Checking the server logs I see that iQBC one from France did not attempt to log in. They did GETs on my wp-login.php which is why iThemes did not log them but iQBC did (Yay!). The server logs show the 3 IPs iQBC did not block were all POSTs to my wp-login.php. Checking the IPs on the iQBC Tools tab correctly identifies the country of origin.

    Is there any way to determine why those 3 backend attempts were not logged by iQBC?

    Bruce

    Plugin Author Pascal

    (@iqpascal)

    I am curious if you still see this with v1.1.21.

    I changed the position where the plugin logs the action it takes. I expect the same results as this should not matter. But still curious.

    Using the post method or the get method should not matter either. The plugin should catch both ways

    Thread Starter plasmarobotics2403

    (@plasmarobotics2403)

    My apologies for the delay. I was busy dealing with some work related issues and overlooked my note to respond last week.

    I still see the same behavior with 1.1.22. I upgraded and waited a few days to see if there would be any differences in the logs. Again I see several entries in the iThemes / server logs that I do not see in the iQBC log.

    For the first 5 days in October iQBC logged only 3 IPs (1 from Russia and 1 from Sweden that tried twice). I see those same IPs in the other logs plus 12 more IPs from all over Europe that should have been caught / logged. I checked over half with iQBC and it accurately detects the countries (e.g. 91.219.236.222 is Hungary) so its clearly not that they are not being mapped to a country.

    Is there any extra logging I can enable to help understand why not all the rejectable IPs are not getting logged?

    Bruce

    Plugin Author Pascal

    (@iqpascal)

    No that logging is not yet built in. Because it will log every request it will cost resources.

    But I will think of a way to log all requests, the country and what iQ Block Country does with it. In a way a user could choose to log it or not.

    Thread Starter plasmarobotics2403

    (@plasmarobotics2403)

    I volunteer my site for testing anything you come up since I have a steady stream of unwanted visitors.

    Bruce

    Plugin Author Pascal

    (@iqpascal)

    Do you only see this when you block the backend, or also when you block the frontend?

    Thread Starter plasmarobotics2403

    (@plasmarobotics2403)

    I only block them from the backend. The frontend is unrestricted. I can enable frontend blocks if you think it would help resolve this.

Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘Login attempts from blocked countries get past the plugin’ is closed to new replies.