VBulleting Is Triggering Mod_security Rule And Banning People

Jun 23, 2008

I installed mod_security and the 403security rules on my VPS (Centos 4.1, Release version of WHM).

Several vBulletin files, including the ajax quick editor and some vbulletin.org add-ons are triggering this rule and banning members' IPs in CSF:

# Restrict witch content encodings we accept.
#
# TODO Most applications support only two encodings for request bodies
# because that is all browsers know how to produce. If you are using
# automated tools to talk to the application you may be using other
# content types and would want to change the list of supported encodings.
#
# Note though that ModSecurity parses only three content encodings:
# application/x-www-form-urlencoded, multipart/form-data request and
# text/xml. The protection provided for any other type of encoding is
# inferior.
#
# TODO There are many applications that are not using multipart/form-data
# encoding (typically only used for file uploads). This content type
# can be disabled if not used.
#
# NOTE We allow any content type to be specified with GET or HEAD
# because some tools incorrectly supply content type information
# even when the body is not present. There is a rule further in
# the file to prevent GET and HEAD requests to have bodies to we're
# safe in that respect.
#
# NOTE Use of WebDAV requires "text/xml" content type.
#
# NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports
# applications running on the PocketPC and AvantGo platforms use
# non-standard content types:
#
# M-Business iAnywhere application/x-mal-client-data
# UltraLite iAnywhere application/octet-stream
#
SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$"
"chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'"
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)"
I don't know how to decipher this rule to know if just removing it is ok, or if it is serving an important purpose. During a couple hour period it was enabled, that rule only seemed to trigger false alarms.

The above was triggered with calls such as [uri "/forums/ajax.php?do=usersearch"] and [uri "/forums/newreply.php?do=postreply&t=11057"]

What I really don't understand is that I have an .htaccess in place to turn off mod_security for the /forums directory:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
I have also had this rule triggered today when someone tried to access : ...

View 0 Replies


ADVERTISEMENT

Plesk 12.x / Linux :: Triggering Outgoing Emails Limit

Oct 21, 2014

I have a plesk 12 panel with outgoing email limit configured to 10 messages by hour.

I have a redirect account (An account named for example A, without mailbox, doing forward to another two internal accounts B and C). I doesn't know if these account are in use for outgoing email, but i think no.

The problem, are, these account are triggering the outgoing limit everyday on some hours. What's going on? Maybe the forwarding action are counting outgoing emails?

I need some method to check account when they trigger the limit to view who messages are trying to send (At least, headers, because i doesn't understand who messages are triggering limit). Also, if the problem are the forwarding, i need a method to not count these messages as outgoing ones, because i understand, if forwarding are triggered by an automated action / internal redirect / received message, these message doesn't are a outgoing one.

View 1 Replies View Related

Banning SSH Abusers

Nov 15, 2007

About a week ago I got logs from the server that looked like this:

unknown (200.87.116.210): 5112 Time(s)
unknown (65.111.177.212): 5005 Time(s)
unknown (bastion.fmg-kopernik.ru): 662 Time(s)
root (bastion.fmg-kopernik.ru): 657 Time(s)

I then turned on the brute force protection cPanel provides, and it went down considerably from there. I'm not concerned at all about it (since the passwords are strong), but I would like to know the best way to determine abusive users (of SSH), and the best way to ban them.

Assuming the server does not have APF installed, or any particular control panel...

View 14 Replies View Related

Server Banning Itself

Dec 20, 2007

Getting these emails, several a day telling me that the server is banning its own allocated IP addresses. Can someone explain what on earth it could possibly be doing to ban its own IP's?

From - Thu Dec 20 16:50:47 2007
X-Account-Key: account3
X-UIDL: GmailId116f88c2a1c060ca
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Delivered-To: myemail@gmail.com
Received: by 10.90.78.14 with SMTP id a14cs288558agb;
Thu, 20 Dec 2007 09:14:04 -0800 (PST)
Received: by 10.142.177.7 with SMTP id z7mr183490wfe.47.1198170843836;
Thu, 20 Dec 2007 09:14:03 -0800 (PST)
Return-Path: <root@host.domain.com.br>
Received: from server.domain.com.br (domain.com.br [xxx.xxx64.138])
by mx.google.com with ESMTP id m8si38592roe.1.2007.12.20.09.14.03;
Thu, 20 Dec 2007 09:14:03 -0800 (PST)
Received-SPF: pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) client-ip=xxx.xxx.64.138;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) smtp.mail=root@server.domain.com.br
Received: from root by server.domain.com.br with local (Exim 4.68)
(envelope-from <root@server.domain.com.br>)
id 1J5OyA-0004us-63
for root@server.domain.com.br; Thu, 20 Dec 2007 15:13:39 -0200
To: root@server.domain.com.br
Subject: IP addresses banned on Thu Dec 20 15:13:39 BRST 2007
Message-Id: <E1J5OyA-0004us-63@server.domain.com.br>
From: root <root@server.domain.com.br>
Date: Thu, 20 Dec 2007 15:13:39 -0200
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.domain.com.br
X-AntiAbuse: Original Domain - server.domain.com.br
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - server.domain.com.br

Banned the following ip addresses on Thu Dec 20 15:13:38 BRST 2007

xxx.xxx64.138 with 151 connections

I have centos 4 / cpanel installed with apf / bfd yet the deny host rules for apf does not show the server IP's listed as banned.

View 2 Replies View Related

Apf Firewall Banning Range

Mar 8, 2007

I need to ban IP range and I inserted say ip 12.44.0.0 in the deny_hosts rules, this should ban range from 12.44 but strange is people from that range still be able to access my site, any idea what went wrong?

View 3 Replies View Related

Banning Yahoo Slurp IPs

Jul 6, 2008

How can i ban Yahoo! Slurp and its IPs using .htacces?

View 3 Replies View Related

Iptables And Banning Ip Addresses

Jan 19, 2007

ý'd want to ban some ip addresses and i tried use iptables. But it doesnt work so far.

what i did is:
root/sbin/ iptables -A INPUT -p tcp -s 193.93.236.0/22 -d any/0 -m state --state NEW -j DROP

as seen, i tried to ban an ip range from my box (coz of spam). But it looks that doesnt work.

What i want to do is to prevent wp spammers to post their disgraceful links to my database.

i am using centos.

View 13 Replies View Related

Bash Script - IP Banning With Iptables

Apr 28, 2009

my VPS provided didn't enable a lot of modules and that's why I can use a firewall(csf or apf) and dos deflate script

I need a simple script for it.

First,it has to call this:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
then there will be something like:
Number : IP address
20 1.2.3.4
40 1.2.3.5
80 1.2.3.6
and then the bash script has to bann IPs with more than 30 connections(In our case: 1.2.3.5 and 1.2.3.6) with this:
iptables -A INPUT -s IP_FOR_BLOCK -j DROP

View 14 Replies View Related

Banning A Whole Country IP Range From My Website

Oct 28, 2008

I want to stop users from country X from accessing my website, I know I can ban people's IPs but I dont know if it is possible to ban certain geographical area and if so, I haven't got a clue about how to do it.

View 8 Replies View Related

Range Banning With IPSec On Windows Server

Oct 9, 2006

Does anyone know how to range ban IPs using IPsec.

I can enter IPs manually but unable to ban an entire RANGE of ips

i.e. For example 172.10.10.10 - 172.1.1.999

Anyone know?

View 4 Replies View Related

Listing/banning Ipv6 Addresses From Netstat Output

Jan 19, 2008

I've been happily banning ip's using the output from

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

for over a year now, with iptables. However recently, after upgrading to apache 2.2, the connections in netstat get listed as ipv6. A row can look like this for example:

tcp6 0 0 ::ffff:12.123.123.123:80 ::ffff:12.123.12.:12382 ESTABLISHED-

(actual ip addresses changed)

As you can see, the remote ip address isn't complete, it's cut off, so the script used to sum up connections and insert into iptables isnt doing anything.

View 0 Replies View Related

How Many People Use VMWare?

Mar 27, 2009

I'm not sure how many people here use VMWare, but I'll give this question a shot... I'm looking for a solution similar to Winrar that can view the contents of the .vmdk file. Either to extract any files, or just view the contents without having the have the virtual machine online. I checked Google as well as VMWare's forums/website with no avail.

View 7 Replies View Related

Best USA DC For People From Europe

Jan 24, 2008

Can anyone give a suggestion on choosing a DC that needs to have good connection and shortest route to Europe?

View 11 Replies View Related

Which ASP Components Do People Ask For

Dec 4, 2007

Which ASP components do developers ask for on a regular basis?

View 6 Replies View Related

How People Can Register To My Website?

Dec 25, 2008

how people can register to my website?

any1 know how people can register to my site and become a member etc i already have the forms ad stuff set up on the template take a look psfree.co.cc

View 5 Replies View Related

Max 240 People Online At The Same Time

Jan 15, 2007

I have dedicated server with a Swedish hosting company. We have a network/community website that can have about 300 people online at the same time. But as soon it gets to 240-280 people get logged out (Sessions are closed). The website becomes extremly slow.

What can we do to have at least 2000 people online at the same time with out any session being killed?

Do we have to upgrade the memory from 1 GB > 2 GB? Or do we need 10>100 Mb port? Unmetered server?

View 2 Replies View Related

Other People Using Cname Records To My Site

May 30, 2009

We have Livezilla tracking on our site, and saw some suspicious activity this afternoon from the Netherlands, about 5 connections from the same IP address, they now appear to have put in a cname record/copied our site for http://wiiee.nl/design.html to our site. Does anyone know what they're doing/trying to do?

View 6 Replies View Related

How Do People Reserve So Many Domain Names

Oct 5, 2009

So I've just been browsing around and I've checked out a couple of peoples portfolios. Some of you guys have 100's of domain names registered under you waiting for someone to buy it.

So that's my question, how can you have so many domains registered? Isn't that very expensive?

View 14 Replies View Related

Do People DDOS Servers For No Reason

Jul 31, 2008

I'm having my first DDOS attack. Do people DDos servers for no reason? Beacause they are attacking an IP on a server that have not had any sites or any use on it for 4 years.

View 4 Replies View Related

How To Prevent People From Leeching My Bandwidth

Feb 8, 2008

There are download links i've provided. I am afraid people might just directly link to them and steal my bandwidth.

How do I prevent it?

View 7 Replies View Related

Starting Known Blacklist Thread Hopefully People Can Keep It Going

Dec 16, 2008

As of 12-15-08 our spam system has learned and blocked these addresses. Check attachment for your records help stop spam at the source.

View 9 Replies View Related

Server Change, People Have Errors

May 17, 2007

So we just switched servers, but some people are reporting that they can either not access the site, or are not being displayed the newest content. What is causing this?

View 3 Replies View Related

20% Of People Unable To Connect To My Site

Sep 25, 2007

I just switched to a new server last month and Im having a problem where a lot of my members and even some of my mods are unable to connect to my website. They are just getting a page cannot be displayed error. The website is ftascene(dot)com. Is everyone here able to connect to the site, and any idea why not everyone would be able to connect?

View 5 Replies View Related

Hay Everyone For Some Reason People Cant Access My Forum.

Jul 8, 2007

well i made a PhpBB2 forum and im hosting it on my PC using wamp and no-ip but when my friend trys to access it he gets this.

You don't have permission to access / on this server.

I have port forwarded port 80 and everything else i could think of.

View 2 Replies View Related

NYNOC - Perverse People Or Industry Standard

Aug 7, 2008

I recently moved a client of mine to a dedicated server with a hosting company called the NYNOC. After losing a few weeks of data for my client in the incedent described below, I am wondering if what happened was industry standard, or this was a case of choosing the wrong hosting company.

After signing up and paying the initial hosting charge, I received two notices - one on 18 july, and the second on 26th july - for a bill that was due 25th july.

On 2nd august I get a complaint from my client saying the website is down. I figured the hosting company had cut me off for a late bill. Fine, I figure i go and pay the bill and the reconnection charge and they put me back on.

After waiting 8 hours to get a support person (they dont have 24 hours customer service), I was told that I no longer had a account with them! No client log in. No server. Nothing. The disk was wiped clean and the server was sold to another customer. Without any warning that this would happen.

So my client lost a few weeks of customer data and I lost my credibility.

I was just wondering if this is standard practice in the dedicated hosting industry, or these guys are just bad news.

One more thing. When you talk to these people (they have only one customer support person) its almost as if they really really dislike their customers. As in, they talk down to you even as they exhibit complete disregard for your interests. This I know is not an industry standard. I have several accounts at Hurricane Electric, and they are tops. Unfortunately they do not offer well priced dedicated hosting.

I think I will try Interserver next. I spoke with one of the support guys on AOL late at night, and they seem good, and more importantly, are able to have a pleasant conversation with their customers.

View 14 Replies View Related

How To Prevent People Upload Unwanted .php File

Oct 22, 2007

I have a 777 cmod folder open. It needed to be writable so that legitimate users can upload their picture. However, i do not want people to upload .php or .php.pjepg etc to the server.

There are times that they do not use the form in my site to upload the php file. How can they do that? via perl command? And how to prevent such thing from happending?

View 8 Replies View Related

Rescue O People, Experts My Database Hacked

Jun 10, 2007

Somebody knew password databases of my forum do not know how then enter and modify the forum style templates and add iframe codes. Among the actions of its currency, although that problem still:

Initially I found phpshell uploaded on my site and I delete him , and I realized that there is no other phpshell.

1- I have changed database password and ftp password.

2 - I coded config file using zend

3- I make chmod 751 for directory and 644 for files.

I worked all these actions, however hacked on a daily basis.

How come this hackers to my server?

How closed this issue?

What is the log files, which would know from which all the details from entering the database?

View 8 Replies View Related

How To Stop People Using Php Script To Send Spam

Nov 11, 2008

Any idea? Or any program can prevent it?

(CentOS 5.2 Linux running on servers)

View 2 Replies View Related

DNS Migration: People Still Accessing The Old Server After 4 Days

Apr 3, 2007

I migrated my server on friday, and I changed the IP address of my DNS. There are still a few customers accessing the old server. What can I do? Is it possible to flush some persistent DNS cache somewhere?

View 9 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved