Customer IP got blocked when he/she was editing his/her site.
This is most likely because of a false positively triggered BitNinja WAF rule. In short terms, we need to disable the rule that has been false positively triggered or whitelist the IP address of the customer.
Whitelisting an IP address is a security risk because BitNinja won’t block any request from the IP address. So we recommend whitelisting an IP address only if the IP address is static and you trust the IP address.
Find which rule was triggered false positively.
- Enter the IP address into your search field at the top of the Dashboard screen
- Scroll down and find the first incident or the incident right after the IP was delisted.
- Open down the incident log with the arrow icon at the right and check the rule that was triggered.
False-positive WAF trigger
We need to disable the rule on the URL where it was triggered.
When you are looking for a rule, always look for the WAF icon below:
Always check the request’s payload and the URL. If the payload looks suspicious and at the end of the URL there is a PHP file with 8 random characters as a name then it can be a hexa botnet attack for example.
How to disable the WAF rule
- Open down the incident with the arrow icon on the right side
- Make a note of these entries in the log:
The URL where the rule was triggered false positively
The ModSecurity id is the number of the rule that was triggered.
- Go to the WAF 2.0 menu
- Select the victim server at the top of the screen
- Enter the domain pattern based on the URL, then click on the ADD button
if the rule was triggered on the
www.example.com/wp/wp-admin/ admin-ajax.phpthen you need to set enter
example.com/wp/wp-admin/*to disable the rule on this URL
You can add
*/wp/wp-admin/*too if you wish to disable the rule for all WordPress admin URI
- Click on the little setting icon at the right, then click on advanced settings
- Open the rule groups until you find the ModSecurity id and disable the rule with the switch icon at the right side
You can use your browser’s search function to find the rule while opening down the rule groups.
False positive Port Honeypot catch
If the Icon looks like the one below, that means there was an attempt to connect to a port that BItNinja uses as a Port honeypot. This can be because of a setting on the user’s end. You can whitelist the IP address if you trust this IP.
Add a line in the
/etc/bitninja/PortHoneypot/config.inifile under the
[ports_never_use]flag that looks like this
It is important to make sure there is no semicolon in front of the line.
After the file is modified please restart BitNinja with the
service bitninja restartcommand.
How to whitelist the IP address
- Click on the +WHITELIST button at the top
- Add a comment
- Click on ADD TO WHITELIST