Mod_Evasive Blacklisting address despite whitelisting (possible DoS attack)

Support
, ,
1

Bug Report Template

Description

When editing pages on a WordPress site (with “Salient” theme and some plugins) WP admin users are banned frequently (almost always immediately when saving/submitting a page edit.)

From /var/log/messages:

...
host mod_evasive[292445]: Blacklisting address 111.111.111.111: possible DoS attack.
host mod_evasive[292445]: Blacklisting address 222.222.222.222: possible DoS attack.
host mod_evasive[292445]: Blacklisting address 111.111.111.111: possible DoS attack.
host mod_evasive[292445]: Blacklisting address 111.111.111.111: possible DoS attack.
host mod_evasive[292445]: Blacklisting address 222.222.222.222: possible DoS attack.
...

I’m not able to find a whitelist configuration that successfully prevents blacklisting/banning my IP.

I’ve tried both methods of whitelisting listed in docs:

# cpcmd scope:set rampart.fail2ban-whitelist '111.111.111.111'
INFO   : Bootstrapper task running in background with roles: fail2ban/whitelist-self
1
# cpcmd scope:set rampart.fail2ban-whitelist '222.222.222.222'
INFO   : Unbanning IP address `222.222.222.222'
INFO   : Unbanned `222.222.222.222' from jail `recidive'
INFO   : Bootstrapper task running in background with roles: fail2ban/whitelist-self
1

This resulted in no longer getting connection denied and instead resulted in the HTTP 429 error:

Too Many Requests
The user has sent too many requests in a given amount of time.

So then I tried the additional whitelist method:

# cpcmd rampart:whitelist '111.111.111.111'
1
# cpcmd rampart:whitelist '222.222.222.222'
1

Steps to Reproduce

Unfortunately, I don’t have a great way to reproduce this. Our scenario is a WordPress website using the “Salient” theme. I’m sure, in classic WP fashion, there’s just a lot of backend calls that are triggering the banning.

Also worth noting, this typically only happens when logged into the backend and editing pages (with theme/plugin). I can get it to trigger on the front end if I’m spamming requests, but doesn’t happen under normal usage.

Expected Behavior

Expect whitelist to work and ban not to be implemented for whitelisted IPs.

Actual Behavior

According to the logs, IPs are still banned and users continue to get HTTP 429 error, making pages unaccessible.

Environment

# cpcmd misc_cp_version
revision: 1a4f68eb443cba2dba72a59e556e10efadc5fa5d
timestamp: 1729009304
ver_maj: 3
ver_min: 2
ver_patch: 0
ver_pre: 1a4f68eb4
dirty: false
debug: false

# uname -r
4.18.0-553.22.1.el8_10.x86_64

Additional Information

WordPress version: 6.6.2 (latest)

2

Just found apache.evasive-whitelist
https://web301.atrelix.net:2083/apps/scopes/apply/apache.evasive-whitelist
cpcmd scope:set apache.evasive-whitelist '[127.0.0.1]'

However, the UI is a little confusing and I did not find any documentation explaining the format or how to use the apache.evasive-whitelist command.
Ref: Brute-force protection | ApisCP Docs
Ref: mod_evasive/SOURCES/README.md at master · apisnetworks/mod_evasive · GitHub

Screenshot 2024-10-16 at 2.11.34 PM
Screenshot 2024-10-16 at 2.11.34 PM1678×1570 212 KB

Looks like apache.evasive-whitelist might also be an append operation, similar to the fail2ban whitelist op and that could be part of why the UI is a little confusing? Maybe a “Whitelist” section on the /admin/Evasive page showing an example might be useful?

EDIT: It appears the UI doesn’t allow adding more than two IPs.

Using cpcmd scope:set apache.evasive-whitelist to manually whitelist each IP individually worked:

# cpcmd scope:set apache.evasive-whitelist '111.111.111.111'
1
# cpcmd scope:set apache.evasive-whitelist '222.222.222.222'
1

However, it’s also worth mentioning that when I tried to use the example from the UI listed under CLI Invocations > SETTER of cpcmd scope:set apache.evasive-whitelist '[111.111.111.111,222.222.222.222]', I got an error:

# cpcmd scope:set apache.evasive-whitelist '[111.111.111.111,222.222.222.222]'
(Exception) INTERNAL REPORT: TypeError::__set_state(array(
   'message' => 'strpos(): Argument #1 ($haystack) must be of type string, array given',
   'string' => '',
   'code' => 0,
   'file' => '/usr/local/apnscp/lib/Opcenter/Admin/Settings/Apache/EvasiveWhitelist.php',
   'line' => 32,
   'trace' => 
...
3

Evasive will still report a 429 Too Many Requests as it has immediate discretion. This is a result of a plugin repeatedly sending requests without a cooldown period, and gets worse the more performant the install is - funnily enough.

You have two immediate solutions, Toolbox for ApisCP, a plugin developed by @anatoli to sidestep these throttles for logged-in users, or overriding the throttle limits entirely.

Lastly, you can bypass this by setting throttle values remarkably high or bypassing specific URL filters. Ideally there should be a deadline to persist every setInterval() ms rather than basing off setTimeout - or ignoring it entirely.

4

Perfect! These are great solutions. Thank you very much.