New to the community? Start here

defender shows information disclosure error for txt

I was trying to work on defender tweaks and when I try to work on Preventing information disclosure, it asks me to add rules to Nginx.

Mon, 27 Jan 2020 20:08:12
More Defender Pro discussions
Defender Pro
  • Predrag Dubajic
    • Support

    Hi Evi,

    We are working on some changes to allow TXT files in uploads folder on our hosting and that change is to come with Defender checks as well.

    At the moment this is a false positive due to the ongoing changes and there’s no security issue on your site because of it.

    Best regards,
    Predrag

  • evi
    • Site Builder, Child of Zeus

    Hi

    It seems there’s more going on with Defender, it’s like it wont save the action….

    I wanted to block some countries, it says to first downoald GEO IP databas, which I do, and do again and… it does not save, it keeps saying I have to download it…

    the above issue was similar as it said ‘update htcaccess’ which i did several times, but it didn’t save it… keeps giving the message…

    regards
    evi

  • Adam
    • Support Gorilla

    Hi evi

    Thanks for response!

    Those would be issues different to the one with Prevent Information Disclosure (.txt files) and not related to them so let’s look at them separately.

    The .htaccess isn’t even used on our hosting which is powered by nginx webserver instead of Apache and nginx doesn’t use .htaccess. It till doesn’t explain why you can’t save your settings and that’s something that shouldn’t be happening. Could you tell me please which exact options doesn’t save for you that also suggest changing .htaccess? I’d like to check it on your site again and on my test site on our hosting.

    As for the GO IP, there’s unfortunately a bug that our developers were already made aware of and they are working on a fix to be included in one of upcoming releases. I apologize for the issue!

    Kind regards,
    Adam

  • evi
    • Site Builder, Child of Zeus

    Hi,

    It’s the same for both issues; see screenshot for the prevent information disclosure thing, where it asks to update htcaccess…. when I click it, it doesn’t ‘save’ it just goes back to saying I have to do it. (which was the reason for opening this thread)

    same thing goes for the GEO IP thing, I click the download database, it doesn’t ‘do’ it, just goes back to saying i have to do it…

    that’s why I thought it was related, the Defender reaction is similar both times…

    regards
    evi

  • Predrag Dubajic
    • Support

    Hi Evi,

    Those two options and issues are not related to each other, let me elaborate it a bit more below.

    The issue with downloading the logs is a bug in the plugin, it’s currently in the development together with a small overhaul of the look of the option and it should be included in the next release.

    As for the security rules, this can’t be applied at the moment, per se, those security rules are predefined on our servers and can’t be changed from Defender itself.
    Until recently they both had the same rules, however, on our servers we changed the rules to allow access to .txt files while Defender still checks if .txt files are protected and due to that it shows the Prevent Information Disclosure as unresolved.
    However, all of the other rules are still in place and Defender will not check for .txt files in next release, so at the moment it’s just a false positive as I mentioned above, and all the other security rules from Prevent Information Disclosure are already applied.

    I hope this explains it better but if you do have any additional questions do let us know.

    Best regards,
    Predrag

  • evi
    • Site Builder, Child of Zeus

    INFO: when i click download database – it seems to appear – then it briefly says ‘unauthorized’ in red letters on top of the screen – then it all goes away, back to the start saying ‘download’ database

  • Predrag Dubajic
    • Support

    Hi Evi,

    It seems there’s an issue with dynamic URL so the redirect from Defender is wrong, we reported it to devs already to check it out further.

    In the meantime following these steps should work:
    1. Since you already have Maxmind account created go to https://www.maxmind.com/en/home, login and go to My Account:
    [attachments are only viewable by logged-in members]

    2. From there navigate to My Licence Key page:
    [attachments are only viewable by logged-in members]

    3. Generate new key and while doing that for “License key description” you can type in any text, I used “Standard” for example, and for “Will this key be used for GeoIP Update?” select “No”.
    [attachments are only viewable by logged-in members]

    4. Copy the key, paste it in Defender and that should do the trick.

    Best regards,
    Predrag

  • evi
    • Site Builder, Child of Zeus

    Hi

    Sorry I’m a bit confused now :sweat_smile:

    So I don’t have a Maxmind account yet (sorry for the misunderstanding)
    I’m willing to make one, no prob, but I think it’s a paying service, you can get a free trial with 5 dollars worth of queries, but after you have to pay I think?

    Just asking because I thought country blocking worked free with Defender :s

    regards
    evi

  • Predrag Dubajic
    • Support

    Hi Evi,

    Sorry I missed the registration steps, I assumed that you’ve already done that.

    Did you use the registration link provided in the Defender?
    It will link you to this page https://www.maxmind.com/en/geolite2/signup and there you can signup for Free account, and this type of account is not a trial one so you can continue using it for no extra charge.

    Once you have that set up and you login with your account you should be able to follow the steps provided above and get the GeoIP database.

    Let us know how it goes and if you get any issues with doing so.

    Best regards,
    Predrag