[BUG] Config option DENY_HTTP_STATUS sometimes is not applied

[Defy3738]

What happened?

Hi, @TheophileDiot,

I would like to follow up on a topic that somewhat was previously discussed in #3156, because I think there is still a small bug lingering about. It may not be a big deal, but please see below.

There are two things I am concerned with. One is that the return code of 400 when the actor requests /bwerror400 (even though it is not part of the blacklist ignore config below). On the surface this may not be a big deal but it confirms to the bad actor that the server uses bunkerweb (and could then be exploited if there happens to be a vulnerability in bunkerweb). I think that the DENY_HTTP_STATUS setting should be respected regardless if a user specifically requests /bwerror400 because they are familiar with the source code.

Second is that the badbehavior counter needlessly uses resources when a ban is permanent. I realize that it is useful to have the counter for when an IP is not already banned, or is banned within a context, or if it has an end date, but maybe it is not needed if the IP is already banned permanently.

At any rate, thank you very much for working on this project and for all you do.

Details

A few log entries (all redactions have been identified with the REDACTED prefix ):

(444) 18.218.118.203 | (-) [REDACTED_IPV4] | GET / HTTP/1.1 (0) | visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 (-)
[notice] 936#936: *583 [BADBEHAVIOR] increased counter for IP 18.218.118.203 (1/10) on server _ (status 444, scope global), context: ngx.timer
# ...
(400) 18.218.118.203 | (-) _ | GET /bwerror400 - (0) | - (-)
[notice] 936#936: *605 [BADBEHAVIOR] increased counter for IP 18.218.118.203 (2/10) on server _ (status 400, scope global), context: ngx.timer
# ...
[notice] 936#936: *794 [BADBEHAVIOR] decreased counter for IP 18.218.118.203 (1/10) on server _ (status 444, scope global), context: ngx.timer
# ...
[notice] 936#936: *813 [BADBEHAVIOR] decreased counter for IP 18.218.118.203 (0/10) on server _ (status 400, scope global), context: ngx.timer

Where the partial config is:

USE_REDIS=yes
DATABASE_URI=postgresql://
DISABLE_DEFAULT_SERVER=yes
SERVE_FILES=no
DENY_HTTP_STATUS=444
REVERSE_PROXY_INTERCEPT_ERRORS=no
INTERCEPTED_ERROR_CODES=
LOG_FORMAT=($status) $remote_addr | ($remote_user) $host | $request_method $uri$args_sanitized $server_protocol ($body_bytes_sent) | $http_user_agent ($http_referer)
example.com_BLACKLIST_URI=^/.+
example.com_BLACKLIST_IGNORE_URI=^/assets/.+$ ... some more specific endpoints

And this particular bad actor has been banned on this server for some time:

podman exec bunkerweb-scheduler bwcli bans 2>&1 | rg "18.218.118.203"
#  🔒 18.218.118.203 [US]

How to reproduce?

Not really sure.

Configuration file(s) (yaml or .env)

Relevant log output

BunkerWeb version

1.6.9-rc3

What integration are you using?

Docker

Linux distribution (if applicable)

No response

Removed private data

• I have removed all private data from the configuration file and the logs

Code of Conduct

• I agree to follow this project's Code of Conduct

[TheophileDiot]

Hi, nice catch. I've fixed both issues and it'll be available in the next release. thank you!

[Defy3738]

That's great, thanks @TheophileDiot!

This change I think works great for my workflow. The only thing I can think of is the scenario for other users who do not have permanent bans set up, with an expiration time. I think it might be useful to add another check as follows:

If the IP is already banned and the counter is greater than zero, keep incrementing. If the IP is banned but counter is zero, then do not increment and return.

This way the counter does no cap at the BAD_BEHAVIOR_THRESHOLD for ongoing events, and only skips the counter for dormant banned IPs. What are your thoughts?

[Defy3738]

Hi @TheophileDiot, unfortunately it appears that the DENY_HTTP_STATUS issue still persists after updating to 1.6.10-rc4. I still see return code 400 in the logs for requests GET /bwerror400 instead of 444.