Using NGINX – Seeing my Server IP Blocked in Firewall Logs

Why is your IP blocked? Which rule or policy blocks it?

an .htninja whitelist of my IP just above the root

Maybe you have an open_basedir restriction. Try to move the “.htninja” inside the root folder where your “wp-config.php” file is located.

Here is the most recent log data. All real values have been changed to protect my information. In this case IP 1.2.3.4 is my server public ip, which is what nginx is reporting back to the plugin.

DATE INCIDENT LEVEL RULE IP REQUEST
03/Jul/18 19:52:41 #7980318 HIGH – 1.2.3.4 GET /xmlrpc.php – Unauthorized REQUEST_METHOD to the XMLRPC API – [REQUEST_METHOD: GET] – https://www.domain.com
14/Jul/18 10:43:02 #3114722 HIGH – 1.2.3.4 GET /xmlrpc.php – Unauthorized REQUEST_METHOD to the XMLRPC API – [REQUEST_METHOD: GET] – domain.com
15/Jul/18 10:14:18 #1850891 HIGH – 1.2.3.4 GET /xmlrpc.php – Unauthorized REQUEST_METHOD to the XMLRPC API – [REQUEST_METHOD: GET] – domain.com
15/Jul/18 12:14:11 #4637280 INFO – 1.2.3.4 GET /wp-admin/admin-ajax.php – Access to a script modified/created less than 24 hour(s) ago – [/home/username/public_html/wp-admin/admin-ajax.php] – https://www.domain.com
15/Jul/18 13:20:46 #6164126 INFO – 1.2.3.4 GET /wp-login.php – Access to a script modified/created less than 24 hour(s) ago – [/home/username/public_html/wp-login.php] – https://www.domain.com
15/Jul/18 16:31:01 #5950886 CRITICAL – 1.2.3.4 POST /wp-admin/admin-ajax.php – Blocked file upload attempt – [revslider.zip (191,590 bytes)] – https://www.domain.com
15/Jul/18 16:31:12 #3322533 CRITICAL 3 1.2.3.4 GET /index.php – Local file inclusion – [GET:file_link = /etc/passwd] – https://www.domain.com
15/Jul/18 16:31:12 #2954708 CRITICAL 3 1.2.3.4 GET /index.php – Local file inclusion – [GET:url = /etc/passwd] – https://www.domain.com
15/Jul/18 16:31:12 #4193305 CRITICAL 3 1.2.3.4 GET /index.php – Local file inclusion – [GET:filepath = /etc/passwd] – https://www.domain.com
15/Jul/18 16:31:12 #1545195 CRITICAL 1 1.2.3.4 GET /index.php – Directory traversal – [GET:fileName = ../../../../../../../../../../etc/passwd] – https://www.domain.com
15/Jul/18 16:31:12 #1192274 CRITICAL 1 1.2.3.4 GET /index.php – Directory traversal – [GET:filename = ../../../../../../../../../etc/passwd] – https://www.domain.com
15/Jul/18 16:31:12 #8904210 CRITICAL – 1.2.3.4 POST /index.php – Blocked file upload attempt – [ZJohnYNB.php (267,374 bytes)] – https://www.domain.com
15/Jul/18 16:31:13 #3345962 CRITICAL 1369 1.2.3.4 POST /index.php – Remote command execution – [POST:execute = wp_insert_user] – https://www.domain.com
15/Jul/18 17:44:56 #3691827 HIGH – 1.2.3.4 GET /index.php – User enumeration scan (author archives) – [author_name=user1] – https://www.domain.com
15/Jul/18 22:26:44 #2705200 HIGH – 1.2.3.4 GET /index.php – User enumeration scan (author archives) – [author=1] – https://www.domain.com
15/Jul/18 22:30:11 #1606203 HIGH – 1.2.3.4 GET /index.php – User enumeration scan (author archives) – [author_name=user2] – https://www.domain.com
15/Jul/18 22:30:13 #1030947 HIGH – 1.2.3.4 GET /index.php – User enumeration scan (author archives) – [author_name=user3] – https://www.domain.com
15/Jul/18 22:30:14 #8934174 HIGH – 1.2.3.4 GET /index.php – User enumeration scan (author archives) – [author_name=user1] – https://www.domain.com
15/Jul/18 22:30:16 #5272196 HIGH – 1.2.3.4 GET /index.php – User enumeration scan (author archives) – [author_name=user4] – https://www.domain.com
16/Jul/18 03:26:35 #6725757 HIGH – 1.2.3.4 GET /index.php – User enumeration scan (author archives) – [author=1] – https://www.domain.com
16/Jul/18 03:26:35 #4231738 HIGH – 1.2.3.4 POST /xmlrpc.php – Access to WordPress XML-RPC API – [/xmlrpc.php] – https://www.domain.com

I have moved the .htninja into the site root, the same directory as wp-config.php, and still get 500 errors when the file is in place.

Please advise what I need to do to have real ip’s show in the log and what to do to ensure that necessary server processes are not being blocked.

It looks like your site is behind a reverse proxy or CDN.
You should not whitelist the IP, but simply tell NinjaFirewall which PHP variable it should use to display the real user IP.
Server processes aren’t blocked, what you see in your log are threats and attempts to exploit known vulnerabilities, but all of them have the reverse proxy or CDN IP address.

Run this script and check which PHP variable is used for the user real IP (probably HTTP_X_FORWARDED_FOR or similar):

<?php
phpinfo(33);

Regarding the “.htninja”, check your HTTP error log, it will be written why a 500 error was returned. Maybe a file permissions or ownership issue?

Ok… so yes, my server is using HTTP_X_FORWARDED_FOR to pass the Real IP.

How do I tell Ninja to use that HTTP_X_FORWARDED_FOR value instead of the server value?

I want to be able to see what the Real IP’s are in the logs.

You can do that with the .htninja:

<?php
/*
 +====================================================================+
 | NinjaFirewall optional configuration file                          |
 |                                                                    |
 | See: https://nintechnet.com/ninjafirewall/wp-edition/help/?htninja |
 +====================================================================+
*/

if (! empty( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ) {
   $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

No need to check the validity of HTTP_X_FORWARDED_FOR (i.e., it could contain more than one IP), NinjaFirewall will do it for you.

But you still need to check your HTTP error log to find out why Nginx returns a 500 error when the .htninja is present.

I had an error in the .htninja file. Fixing that resolved the 500 Error issue.

Thanks for the help on this.

I cannot say enough how powerful this plugin is as an Application Firewall for WordPress sites. I continue to be a huge fan of you guys.

Thanks again!