What kind of protection events are logged ?

  • Resolved massimod

    (@massimod)


    8 years, 5 months ago

    I have installed this plugin for a few days, replacing other layers of protection.

    The audit trail has several logs about invalid login, search engines firewall skip, transgression counter started and posts posted and edited.

    Nothing else.

    This can’t be true since my previous tools reported daily attempts for all kind of strange attacks, sql attempts, php files attempts, directory traversals etc etc.

    So, Shield plugin or (1) doesn’t log but protects or (2) doesn’t protect from all that.

    What happens ?

    Thanks

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Paul

    (@paultgoodchild)

    The Shield plugin does protect against these things.
    Unless you really need, I would turn of attempted detection of search engine bots. They generally wouldn’t trigger the firewall rule anyway.

    Also, test this. If you have the Firewall rule “WordPress terms” selected, access the url:
    https://yourdomain.com/?test=wp_test

    You should be blocked… if not and you get a skip in the audit trail, there’s a basic server configuration issue here.

    Of course, if you have white listed yourself, log out.

    Thanks

    Thread Starter massimod

    (@massimod)

    Hello.

    Yes the “?test=wp_test” triggered everything and also i got an email.

    Also i did copy paste most violations from my previous firewall wrapper, and some of them triggered the firewall as well.

    The only thing i noticed is the the IP (MY IP) was half of the times wrong. Instead of my IP, some other IP was logged (usually Google bot’s). See:

    Shield has blocked a page visit to your site.
    Log details for this visitor are below:
    – IP Address: 66.249.91.130
    – Page parameter failed firewall check. The offending parameter was “0” with a value of “@ini_set(“display_errors”,”0″);@set_time_limit(0);@set_magic_quotes_runtime(0);echo ‘->|’;file_put_contents($_SERVER[‘DOCUMENT_ROOT’].’/webconfig.txt.php’,base64_decode(‘PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+’));echo ‘|<-‘;”.
    – Firewall Trigger: Aggressive Rules.
    – Firewall Block Response: Visitor connection was killed with wp_die().
    You can look up the offending IP Address here: https://ip-lookup.net/?ip=66.249.91.130

    So attempts from an IP are actually counted for an other IP ?

    Thanks

    • This reply was modified 8 years, 5 months ago by massimod.
    Plugin Author Paul

    (@paultgoodchild)

    We detect the IP address as it is passed to your web server. If the IP address being reported to the PHP processing engine is somehow that of a Google bot, you’ll need to talk to your web host about that. Shield doesn’t make up IP addresses – it finds the first legitimate IP address that is in the public domain and assumes that the web hosting is configured to do this properly.
    It’s quite possible caching is setup on your server and it is misconfigured.

    Thread Starter massimod

    (@massimod)

    Oh, no. Don’t start the web hosting blame game. Nothing wrong with it.

    In any case thanks.

    • This reply was modified 8 years, 5 months ago by massimod.
    Plugin Author Paul

    (@paultgoodchild)

    We’ve seen just about every possible web hosting configuration and issue under the sun, at this stage. We are very aware of web hosting issues/configuration problems – they get it wrong a lot, though it goes unnoticed by most.

    Thread Starter massimod

    (@massimod)

    We are very aware of web hosting issues/configuration problems – they get it wrong a lot, though it goes unnoticed by most.

    Sure. I can say the very same for plugin bugs (in general). Most problems get un-noticed by the users. 99%.

    Plugin Author Paul

    (@paultgoodchild)

    Okay, cool.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘What kind of protection events are logged ?’ is closed to new replies.