Register

Author Topic: 403 Forbidden error  (Read 1032 times)

sonnyh

  • Newbie
  • *
  • Posts: 16
Re: 403 Forbidden error
« Reply #12 on: August 16, 2019, 03:36:00 PM »
Thank you once again.

I will work up an email with guidelines.
Best,
Sonny

Randem

  • Administrator
  • Hero Member
  • *****
  • Posts: 2681
Re: 403 Forbidden error
« Reply #11 on: August 16, 2019, 01:37:49 PM »
This behavior could also be triggered by a plugin on their browser that automatically fills out fields on the form. An incorrect password is still an incorrect password but they do it a great number of times which triggers a lockout.

Randem

  • Administrator
  • Hero Member
  • *****
  • Posts: 2681
Re: 403 Forbidden error
« Reply #10 on: August 16, 2019, 12:23:24 PM »
This is why they should use the "Forgot Password" link on the login page to avoid this. They would need to attempt to login a very high number of times quickly for this to trigger. The theory is "If it acts like a bot it just might be a bot" Better safe than sorry...

It could be in the .htaccess file without being in the blacklist... for this type of block.

sonnyh

  • Newbie
  • *
  • Posts: 16
Re: 403 Forbidden error
« Reply #9 on: August 16, 2019, 12:01:07 PM »
Odd, not in blacklist search, but is in .htaccess

Part of the problem is they forget their password and end up locking themselves out.
Best,
Sonny

Randem

  • Administrator
  • Hero Member
  • *****
  • Posts: 2681
Re: 403 Forbidden error
« Reply #8 on: August 16, 2019, 10:12:52 AM »
This IP is the same block type as the other two. It seems it is attempting to break into your system using different passwords at a very fast pace. If it is being blocked it has to be in your IP blacklist which is a visual of your .htaccess file.

sonnyh

  • Newbie
  • *
  • Posts: 16
Re: 403 Forbidden error
« Reply #7 on: August 16, 2019, 07:52:49 AM »
An IP is being blocked, but I can not find where.
It is not in the blacklist, I also looked at .htaccess just in case.
Here is log:
75.132.241.0   Guest   BotBanishClient: Known Bad Bot Resource Usage Attempt Stopped - r5mars.org

A BOT/USER has been terminated from accessing the system

IP Address: 75.132.241.0
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36

BotBanish Client 3.3.02 (SMF)
?action=login2   August 14, 2019, 10:09:49 AM
75.132.241.0   Guest   8: Undefined index: login_with_forum
?   August 14, 2019, 10:09:45 AM
75.132.241.0   Guest   8: Undefined index: register_an_account
?   August 14, 2019, 10:09:45 AM
75.132.241.0   Guest   8: Undefined index: login_below
?   August 14, 2019, 10:09:45 AM
75.132.241.0   Guest   8: Undefined index: welcome_guest
?   August 14, 2019, 10:09:45 AM
75.132.241.0   Guest   8: Undefined index: login_with_forum
?topic=4117.0   August 14, 2019, 07:59:23 AM
75.132.241.0   Guest   8: Undefined index: register_an_account
?topic=4117.0   August 14, 2019, 07:59:23 AM
75.132.241.0   Guest   8: Undefined index: login_below
?topic=4117.0   August 14, 2019, 07:59:23 AM
75.132.241.0   Guest   8: Undefined index: welcome_guest
?topic=4117.0   August 14, 2019, 07:59:23 AM
75.132.241.0   Guest   8: Undefined index: login_with_forum
?topic=4119.0   August 14, 2019, 07:59:22 AM
75.132.241.0   Guest   8: Undefined index: register_an_account
?topic=4119.0   August 14, 2019, 07:59:22 AM
75.132.241.0   Guest   8: Undefined index: login_below
?topic=4119.0

Best,
Sonny

sonnyh

  • Newbie
  • *
  • Posts: 16
Re: 403 Forbidden error
« Reply #6 on: August 15, 2019, 11:09:42 AM »
Ok, good to know
Best,
Sonny

Randem

  • Administrator
  • Hero Member
  • *****
  • Posts: 2681
Re: 403 Forbidden error
« Reply #5 on: August 15, 2019, 09:13:32 AM »
Correction, removing IP addresses from the blacklist will remove them from the .htaccess file. So no need to edit the htaccess file.

sonnyh

  • Newbie
  • *
  • Posts: 16
Re: 403 Forbidden error
« Reply #4 on: August 15, 2019, 01:59:41 AM »
Thank you
Best,
Sonny

Randem

  • Administrator
  • Hero Member
  • *****
  • Posts: 2681
Re: 403 Forbidden error
« Reply #3 on: August 14, 2019, 10:15:51 AM »
Neither of those IP addresses are blocked on our servers. In fact they have only appear once to our servers. This would indicate that the blocking is done locally on your end. I see that in the error message there is a phrase Known Bad Bot Resource Usage Attempt Stopped - r5mars.org, this means that the IP has repeatedly attempted to gain access to the system in excess of the time allowed and was locked out for this, a resource hog. Now this could be the start of a Brute Force or a DoS attack. Now the IP could be shared with many different users at the same location and it would only take one of them to create a problem. Or the users machine has an infection of sorts and is attempting to possibly do damage. This could be from a simple browser plugin that is not operating properly to something malicious.

A 403 Error is that the user is attempting to access pages that are not present on your system. This could be a possible attack where the user is looking for vulnerabilities on your system and sending request for known applications that might be on your system that they can take advantage of. And since both IP addresses were on the Login page, one would assume that they are attempting to find a username/password combination to gain access to your system.

You can take the IP addresses out of the .htaccess file but they will reappear if the user continues this behavior. This CANNOT be just whitelisted after it has been blocked, it should be removed from the blacklist also. Remove the IP from the .htaccess file and the whitelist should work as expected. Mind you that you will be opening your site up to abuse from those IP addresses.

sonnyh

  • Newbie
  • *
  • Posts: 16
Re: 403 Forbidden error
« Reply #2 on: August 14, 2019, 07:58:30 AM »
Here is another good IP that was blocked and not in the blacklist:

Apply Filter: Only show the error messages of this member Guest
Apply Filter: Only show the error messages of this IP address 68.38.26.122   
    Reverse chronological order of list Today at 10:07:30 AM
Apply Filter: Only show the error messages of this session 24095de5c3e29a2fdeb2e4dad0dc2511
Apply Filter: Only show the errors of this type Type of error: botbanish
Apply Filter: Only show the error messages of this URLhttps://r5mars.org/smf/index.php?action=login2Apply Filter: Only show the errors with the same messageBotBanishClient: Known Bad Bot Resource Usage Attempt Stopped - r5mars.org

A BOT/USER has been terminated from accessing the system

IP Address: 68.38.26.122
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36

BotBanish Client 3.3.02 (SMF)
Best,
Sonny

sonnyh

  • Newbie
  • *
  • Posts: 16
403 Forbidden error
« Reply #1 on: August 14, 2019, 07:29:26 AM »
Hi,
This just started happening:
Forbidden
You don't have permission to access /smf/index.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

From Error Log -----------------------------------------------------------------------------
Apply Filter: Only show the error messages of this member Guest
Apply Filter: Only show the error messages of this IP address 170.249.31.150   
    Reverse chronological order of list Today at 09:13:21 AM
Apply Filter: Only show the error messages of this session 3261c3ac6a2f57a830b459d8b4704fef
Apply Filter: Only show the errors of this type Type of error: botbanish
Apply Filter: Only show the error messages of this URLhttps://r5mars.org/smf/index.php?action=login2Apply Filter: Only show the errors with the same messageBotBanishClient: Known Bad Bot Resource Usage Attempt Stopped - r5mars.org

A BOT/USER has been terminated from accessing the system

IP Address: 170.249.31.150
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
--------------------------------------------------
This address should not be blocked.
I have it in the whitelist, and checked the blacklist too.

There are other members that are blocked.
I am waiting for their IP and ISP info
Best,
Sonny