invis.net

Issues with Gutenberg and blocking user enumeration

a few days ago the same user who had the problem last time reported that “the site stopped working after some time until he restarted his router, this happened at home and in the office”.

this is what was logged in auth.log:
Aug 24 10:56:37 hostxyz wordpress(mydomain.com/)[22009]: Accepted password for usernamexyz from 123.123.123.123
Aug 24 10:58:53 hostxyz wordpress(mydomain.com/)[22081]: Blocked user enumeration attempt from 123.123.123.123
Aug 24 13:16:34 hostxyz wordpress(mydomain.com/)[29022]: Blocked user enumeration attempt from 123.123.123.123
Aug 24 13:22:22 hostxyz wordpress(mydomain.com/)[4078]: Blocked user enumeration attempt from 123.123.123.123
Aug 24 14:04:23 hostxyz wordpress(mydomain.com/)[13200]: Blocked user enumeration attempt from 123.123.123.123
Aug 24 14:07:10 hostxyz wordpress(mydomain.com/)[15558]: Blocked user enumeration attempt from 123.123.123.123

i removed the WP_FAIL2BAN_BLOCK_USER_ENUMERATION define and the user reported now the problem is gone.

Can you look at the access logs and see what the matching request is please? The URL (with query string) and Referer should tell me what’s actually going on.

i extracted all logentries from the given ip which led to a 403 Error:

123.123.123.123 - - [24/Aug/2020:10:58:53 +0200] "GET /wp-json/wp/v2/users/?who=authors&per_page=100&_locale=user HTTP/1.1" 403 951 "https://mydomain.com/wp-admin/post.php?post=33009&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
123.123.123.123 - - [24/Aug/2020:12:03:42 +0200] "GET /wp-json/wp/v2/media/5089?context=edit&_locale=user HTTP/1.1" 403 997 "https://mydomain.com/wp-admin/post.php?post=32989&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
123.123.123.123 - - [24/Aug/2020:12:03:42 +0200] "GET /wp-json/wp/v2/media/3549?context=edit&_locale=user HTTP/1.1" 403 997 "https://mydomain.com/wp-admin/post.php?post=32989&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
123.123.123.123 - - [24/Aug/2020:12:03:42 +0200] "GET /wp-json/wp/v2/media/5086?context=edit&_locale=user HTTP/1.1" 403 997 "https://mydomain.com/wp-admin/post.php?post=32989&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
123.123.123.123 - - [24/Aug/2020:13:16:33 +0200] "GET /wp-json/wp/v2/users/?who=authors&per_page=100&_locale=user HTTP/1.1" 403 1317 "https://mydomain.com/wp-admin/post.php?post=32989&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
123.123.123.123 - - [24/Aug/2020:13:22:21 +0200] "GET /wp-json/wp/v2/media/3549?context=edit&_locale=user HTTP/1.1" 403 997 "https://mydomain.com/wp-admin/post.php?post=32989&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
123.123.123.123 - - [24/Aug/2020:13:22:22 +0200] "GET /wp-json/wp/v2/users/?who=authors&per_page=100&_locale=user HTTP/1.1" 403 951 "https://mydomain.com/wp-admin/post.php?post=32989&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
123.123.123.123 - - [24/Aug/2020:14:04:23 +0200] "GET /wp-json/wp/v2/users/?who=authors&per_page=100&_locale=user HTTP/1.1" 403 951 "https://mydomain.com/wp-admin/post.php?post=32600&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"
123.123.123.123 - - [24/Aug/2020:14:07:10 +0200] "GET /wp-json/wp/v2/users/?who=authors&per_page=100&_locale=user HTTP/1.1" 403 951 "https://mydomain.com/wp-admin/post.php?post=33206&action=edit" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0"

[I’ve split the thread as this is a related but different issue.]

OK, I can see 2 different things going on here:

  1. REST API calls for media the user doesn’t have access to,
  2. REST API calls to list Authors

The first of these has nothing to do with WPf2b; my guess is that there’s a block that doesn’t fully understand user roles and capabilities.

The second is WPf2b doing what it’s designed to do: user enumeration via the REST API is blocked for users that aren’t logged in and for anything less than an Editor. In previous testing with the standard blocks this worked well - nothing I tried attempted to get a list of users.

However, it seems this changed in 5.4 (possibly earlier).

Hopefully this is fixed in 4.3.0.8-rc1 - I’d be grateful if you’d give it a try and let me know how you get on.

wp-fail2ban-free.4.3.0.8-rc1.zip (812.8 KB)

@brrrrrrrt Have you had a chance to try 4.3.0.8-rc1 yet?

sorry, not by now, just too busy lately, may take some time…

Ok, i was able to test the RC.
With 4.3.0.7 i got “Blocked user enumeration attempt” when opening a post as User with “Author”-privilegues.
With 4.3.0.8-rc1 i get “Blocked user enumeration attempt” every time a post is opened for editing.

Hmm… Which version of WP are you on? Any custom/3rd-party blocks?

ahh sorry, with 4.3.0.8-rc1 i get “Blocked authors enumeration” instead of “Blocked user enumeration attempt”.

  • latest WP 5.5.1 (multisite installation)
  • Tempera Theme

an quite a bunch of plugins:

  • AH Display Widgets
  • All In One WP Security
  • All-in-One Event Calendar Extended Views by Time.ly
  • All-in-One Event Calendar von Time.ly
  • Author Filters
  • Comment Redirect by Yoast
  • Cryout Serious Theme Settings
  • Edit Author Slug
  • Email Subscribers & Newsletters
  • Flexible Posts Widgets
  • Flow-Flow
  • Frontend Reset Password
  • Maps Block for Gutenberg
  • Multisite Enhancements
  • Oomph Hidden Tags
  • Open Graph and Twitter Card Tags
  • Quotes Collection
  • Redis Object Cache
  • Regenerate Thumbnails
  • Responsive Lightbox & Gallery
  • SB-RSS_feed-plus
  • Search Exclude
  • Shariff Wrapper
  • Simple Custom CSS
  • User Activation Keys
  • User Switching
  • WordPress.com Theme Updates
  • WP Crontrol
  • WP fail2ban
  • WP Mail SMTP
  • WP SVG Icons
  • WP-Sweep

Aha! We have success - that’s what it’s supposed to be doing.

It’s a debug-level message so usually that’ll go to a different log, and the message shouldn’t match any of the rules anyway.

The root of the problem is that WordPress preloads the list of authors without first checking if the user is allowed to do anything with it. WPf2b now compromises - it blocks the request if the user doesn’t have edit_others_posts without triggering fail2ban.

If I’m feeling particularly masochistic this week I’ll file a bug report with WP :grin:

great!

thank you very much for your efforts!

:muscle:

I’ve just released 4.3.0.8, and I’m going to call that a fix.

As always, feel free to report any issues!

1 Like