6.0.3.1 - Broke my webserver

[bp2008]

These internet bot mitigation features are still having growing pains. Even after today's change log for 6.0.3.3 said the requirements will not be enforced for LAN connections anymore, they still are. Even a "localhost" connection gets blocked, and then this fails to get mentioned in the log.

Reverse proxy servers get banned the moment anything sends a request through it that Blue Iris does not like. Even if you configured the X-Forwarded-For header all properly to inform Blue Iris of what the "real" client IP address is. The ban actually has no effect if you have X-Forwarded-For properly configured, but the ban still happens.

I emailed Ken about this already yesterday and again today but he hasn't dealt with it yet.

 

[bp2008]

Im wondering why we are focusing on user agent blocking? This is one of the easiest things to spoof. Seems like a false sense of security. The past 2 updates have had some weird consequences for me. Even on my local lan loading ui3 is extremely slow.

You are absolutely right, it is a false sense of security. Most likely the reason for these specific changes is because too many people opened support tickets asking about all the strange addresses in the Connections list on their exposed BI web servers. The recent changes will reduce that and make people with exposed BI web servers feel safer, while saving them a few kilobytes of bandwidth.

If cybersecurity was the goal with this, it is a very feeble attempt that is doing more harm to the user base than good.

All the scary malicious bots written by moderately competent hackers just pretend to be a popular normal web browser like Chrome to avoid being detected as suspicious. It is absolutely trivial for them to do that. In particular if anybody finds a serious vulnerability in Blue Iris's web server and wants to scan the internet for Blue Iris web servers to exploit, it will be no challenge at all for them to avoid getting banned for using the wrong User-Agent string.

It is not that there's no value in what Blue Iris is doing, but it is almost comically ineffective as a cybersecurity measure. I bet the BI dev doesn't even realize the web server emits a response header "Server: BlueServer/6.0.3.3" which makes Blue Iris extremely fingerprintable and easy to search for as a web server. Point is, I don't think they really know what they are doing when it comes to cybersecurity.

And maybe you should use a VPN for your remote access unless you have a really good reason not to.

 

[Sohee]

I’m using Nginx, and while it was blocked and unusable in version 6.0.3.2, it works perfectly fine behind Nginx in version 6.0.3.3.

 

[Techie007L]

Even on my local lan loading ui3 is extremely slow...
...I fixed my issue if anyone has the same problem. For some reason hundreds if not thousands of entries were in the LIMIT ACCESS BY IP ADDRESS area.
That can be found under Settings / Web Server / Advanced. I cleared them all and its working fine again

What were these? Many copies of the same IP address? Or many seemingly random IP addresses on the Internet?

 

[bp2008]

What were these? Many copies of the same IP address? Or many seemingly random IP addresses on the Internet?

They most likely were all different addresses. That guy is likely just getting an unusually high amount of crawler/bot traffic to his BI web server.

Blue Iris stopped putting these auto-banned addresses into the web server's IP list with version 6.0.3.3 though after they realized how poorly that solution scales to a large number of addresses (possibly they read my email warning about exactly that). 6.0.3.3 does not write new lines to the permanent IP blacklist anymore. I don't know if lines previously added got deleted by the 6.0.3.3 update but I'm guessing they did not.

I'd recommend most people stay on 6.0.2.x for now. This 6.0.3.3 set of updates still has a lot of collateral damage to anyone using third-party integrations or exposing their BI web server to the internet through a reverse proxy server.