Blocked from site during upgrade of IP2Country.

webservant · Posted: Wed Nov 26, 2008 10:27 am

Well, this is really strange. I just upgrade my development site on my private network behind my FW. It's a 192.x.x.x network.

I have been working well for about a day, reboots included.
Today, I went to upgrade IP2Country using the nsnst.php script.
Everything was going smootly, and after page 4, I get a NS blocked message:

Code:

NukeSentinel(tm)
You have attempted to access this site with an invalid IP.

If you think this is a mistake you can contact the site webmaster at feedback(at)XXXXXXXX(dot)org.

Be SURE to include the following information in any email!
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Remote Address: 192.X.X.X
Client IP: none
Forwarded For: none
PLEASE: bear in mind that even if you have done nothing wrong, you may be getting this page due to someone's misuse of the site in your ip range

First thing I did was empty the nsnst_ip2country table and load it using the sql files.

Testing the site from EVERY PC on my private network - I'm blocked with the same message.

I emptied the nsnst_blocked_ips and nsnst_blocke_ranges tables, and I'm still blocked.

I changed the two Sentinel flags in rnconfig.php from false to true, but I'm still blocked.

I cleared my browser cache, and tried different browsers. But I can't get access.

There is no deny from statements in the .htaccess

I'm out of ideas, and totally weirded out, and out of ideas.

webservant · Posted: Wed Nov 26, 2008 10:31 am

OK. I just rebooted the server again, and now it's working Can someone explain this one to me? Bang Head

webservant · Posted: Wed Nov 26, 2008 10:33 am

Nevermind - I'm obviously too tired. It worked because I went to my production domain name. The problem still persists on my development machine. Embarassed

evaders99 · Posted: Wed Nov 26, 2008 10:59 am

Search "Invalid IP" - this has been covered many times.

webservant · Posted: Wed Nov 26, 2008 11:35 am

OK, I found a post that had me comment this

Code:

// Invalid ip check
if($nsnst_const['remote_ip']=="none") { die(_AB_INVALIDIP); }

out of includes/nukesentinel.php, and I'm working now.

What I don't understand is why the bypassNukeSentinelInvalidIPCheck variable didn't work? Also, why do I have this initialized both in mainfile.php (from RN 2.02.02) and in rnconfig.php?

Palbin · Posted: Wed Nov 26, 2008 12:30 pm

Now I am not sure if the $bypassNukeSentinelInvalidIPCheck was supposed to be depreciated in the latest PN 2.3 or not, but it appears that when NS was updated in the latest release the $bypassNukeSentinelInvalidIPCheck variable was not readded to /includes/nukesentinel.php.

From a development stand point this is not that big a deal because sentinel has a new "Test Mode" switch now. When test mode is enalbed a "Test Mode" image will appear at the top of your site. When test mode is enabled the invalid IP Check will be bypassed. Since some people are forced to use this on a production site for several factors it is not really a practical solution because of the big TEST MODE at the top of your site. This is why I believe that it was just an oversight in not including this optional bypass. If you would like/need to use it again see the code below.

Find lines 116-122 of /includes/nukesentinel.php

Code:

// Invalid ip check
if($ab_config['test_switch'] != 1) {
if($nsnst_const['remote_ip']=="none") {
echo abget_template("abuse_invalid.tpl");
die();
}
}

Change to:

Code:

// Invalid ip check
if($ab_config['test_switch'] != 1 || !$bypassNukeSentinelInvalidIPCheck) {
if($nsnst_const['remote_ip']=="none") {
echo abget_template("abuse_invalid.tpl");
die();
}
}

Palbin · Posted: Wed Nov 26, 2008 12:34 pm

On why it is defined in both mainfile.php and rnconfg.php. I believe it was a security concern. The value set in the rnconfig .php will supersede the setting in mainfile.php

Palbin · Posted: Wed Nov 26, 2008 12:36 pm

After rereading your post I am not sure your using RN 2.3 but the general idea of what I said above should apply.

webservant · Posted: Wed Nov 26, 2008 8:26 pm

I am on RN23 - just upgraded. Perhaps I have remnants of RN2.02.02 that need to be removed. And you are correct, rnconfig.php does override what is in mainfile.php.

Thanks for the response, and the code snippet.

kguske · Site Admin Joined: Jun 04, 2004 Posts: 6044

I think the operator should be AND (&&) instead of || since you only want to test invalid IP address if you're NOT in test mode and NOT bypassing invalid IP address check.

Raven · Posted: Sat Jan 17, 2009 9:42 pm

The original logic was:

Code:

// Invalid ip check
if(isset($bypassNukeSentinelInvalidIPCheck) AND $bypassNukeSentinelInvalidIPCheck) {;}
elseif($nsnst_const['remote_ip']=="none") {
echo abget_template("abuse_invalid.tpl");
die();
}

Then Bob changed it to:

Code:

// Invalid ip check
if($ab_config['test_switch'] != 1) {
if($nsnst_const['remote_ip']=="none") {
echo abget_template("abuse_invalid.tpl");
die();
}
}

Somehow he dropped our test switch. So, to accommodate his new logic and our old logic, I believe we need the following to keep those who do not use RavenNuke(tm) from seeing a Warning/Notice about an uninitialized setting:

Code:

// Invalid ip check
if ($ab_config['test_switch'] == 1) {;} //Site is in TEST Mode so skip the ipCheck
elseif (isset($bypassNukeSentinelInvalidIPCheck) AND $bypassNukeSentinelInvalidIPCheck===true) {;} //Site is NOT in TEST mode but $bypassNukeSentinelInvalidIPCheck is set to TRUE so skip the ipCheck
else { //Site is NOT in TEST Mode and $bypassNukeSentinelInvalidIPCheck is either not set or it is set to FALSE so do the ipCheck
if($nsnst_const['remote_ip']=="none") {
echo abget_template("abuse_invalid.tpl");
die();
}
}

Technically this is faster although we won't even notice it. Using ! (NOT) is always more expensive.

With the new logic, I am intentionally not checking for "$ab_config['test_switch'] == 1" AND "$bypassNukeSentinelInvalidIPCheck" as I don't see any purpose/value in it.