How do we enable Jetpack now that xmlrpc is disabled?

Thomas_Sweeney · April 13, 2023, 3:16pm

I have tried disabling the fail2ban filter that disabled xmlrpc and adding the necassary addresses to ip_whitelist. However I still receive An error occurred. Please try again. when I try to enable Jetpack

security.yml

ferm_input_list:
  - type: dport_accept
    dport: [http, https]
    filename: nginx_accept
  - type: dport_accept
    dport: [ssh]
    saddr: "{{ ip_whitelist }}"
  - type: dport_limit
    dport: [ssh]
    seconds: 300
    hits: 20


# Enable built-in fail2ban services or add your own custom ones
fail2ban_services_custom:
  - name: wordpress_xmlrpc
    filter: wordpress-xmlrpc
    enabled: "false"
    port: http,https
    logpath: "{{ www_root }}/**/logs/access.log"
  - name: wordpress_wp_login
    filter: wordpress-wp-login
    enabled: "false"
    port: http,https
    logpath: "{{ www_root }}/**/logs/access.log"

# If sshd_permit_root_login: false, admin_user must be in 'users' (`group_vars/all/users.yml`) with sudo group
# and in 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
sshd_permit_root_login: true
sshd_password_authentication: false

ip_whitelist:
  - 127.0.0.0/8
  - 52.162.107.35/8
  - 52.162.107.35/32
  - 52.162.107.35
  - app.oliverpos.com
  - 122.248.245.244/32
  - 54.217.201.243/32
  - 54.232.116.4/32
  - 192.0.80.0/20
  - 192.0.96.0/20
  - 192.0.112.0/20
  - 195.234.108.0/22
  - "{{ ipify_public_ip | default('') }}"

strarsis · April 13, 2023, 3:34pm

Are you using this example from the PR discussion?

Thomas_Sweeney · April 13, 2023, 3:46pm

Thanks for your quick reply!

Yes, that’s the range I am using in my security.yml

strarsis · April 13, 2023, 3:51pm

Have you re-provisioned the Trellis server after adding those IPs to the whitelist
(you probably have)?
List the banned IP addresses, are there still some from Jetpack (even if whitelisted now)?
E.g. by using one of these commands: Fail2ban-client show banned IPs – Lazy Developer

ben · April 13, 2023, 4:44pm

I’m not sure what this means, but why not just change this to true?

github.com

roots/trellis/blob/02cfc360911c545611d624c01ce4d97f197c6d00/group_vars/production/wordpress_sites.yml#L22-L23


      
          xmlrpc:
            enabled: false

Thomas_Sweeney · April 13, 2023, 7:46pm

Ah, forgot to say I had this set in my group_vars file.

Thanks though.

Thomas_Sweeney · April 13, 2023, 7:47pm

So I ended up destroying the Do Droplet and provisioning from scratch just in case. Sadly, I still have the same error.

Thanks though.

ben · April 13, 2023, 7:58pm

Is this an XMLRPC issue or something else? Have you confirmed that XMLRPC is enabled? What are the results of this?

curl -I http://example.com/wp/xmlrpc.php

Thomas_Sweeney · April 13, 2023, 9:10pm

Ah, I am getting a 301!

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 13 Apr 2023 21:10:20 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://next.gooseashby.com/wp/xmlrpc.php

MWDelaney · April 14, 2023, 11:41am

Try running curl with the -L flag to follow the redirect.

Thomas_Sweeney · April 14, 2023, 2:14pm

Oh good call!
Any ideas?

Thanks

HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 14 Apr 2023 14:12:50 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://next.gooseashby.com/wp/xmlrpc.php

HTTP/2 405
server: nginx
date: Fri, 14 Apr 2023 14:12:50 GMT
content-type: text/plain;charset=UTF-8
allow: POST
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-security-policy: frame-ancestors 'self'
x-frame-options: SAMEORIGIN

ben · April 14, 2023, 2:44pm

A 405 error means that XMLRPC is enabled

I’m not a Jetpack user so I’m not sure why you’re unable to activate Jetpack

strarsis · April 14, 2023, 4:04pm

The test requests are not made from a Jetpack IP address though. Can you see connection attempts from Jetpack in the server logs? Have you checked fail2ban for banned IP addresses?

talss89 · April 15, 2023, 10:21am

Just a thought, and apologies if this is obvious, but fail2ban just interacts with iptables, so disabling a fail2ban filter, or even fail2ban entirely will not unblock or allow any banned addresses, as they still exist in the iptables chain.

iptables -L will give you a direct view of the system firewall.

To manage fail2ban jails (the correct approach, rather than just modifying the iptables chain), you can use:

fail2ban-client status → Show all fail2ban jails and summary
fail2ban-client banned → Show all bans
fail2ban-client set <JAIL NAME> unbanip <IP ADDRESS> → Unban the IP in specific jail

I suspect you still have iptables rules set up.

Twansparant · April 16, 2023, 12:48pm

I think I had the same issue a while ago: Unable to insert blog. | WordPress.org
I don’t think they support custom wordpress directories like bedrock has…

ben · April 16, 2023, 3:23pm

There’s definitely folks using both Bedrock and Trellis with Jetpack