CONNECTION TIMING OUT

[Michael Harshbarger]

When users try to create their own account or when admins try to create it for them and when users try to post to the forums we are getting a connection timeout. Contacted my server and they sent me this info:

Quote

 

In checking I found that there was a 10 minute temporary ban on connections from your IP at the time you wrote in:

Wed Nov 1 23:07:01 EDT 2017 /var/ossec/active-response/bin/host-deny.sh add - 24.248.14.55 1509592021.30535002 31533
Wed Nov 1 23:17:04 EDT 2017 /var/ossec/active-response/bin/host-deny.sh delete - 24.248.14.55 1509592021.30535002 31533

The temporary ban was dropped automatically 5 minutes later. The ban by the server's security software was triggered by too many POSTs within a short period of time. For some reason the following script was POSTed two 8 times in less than 20 seconds, including 6 POSTs over a 2-3 second period:

24.248.14.55 - - [01/Nov/2017:23:06:59 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 60
24.248.14.55 - - [01/Nov/2017:23:06:59 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [01/Nov/2017:23:06:58 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [01/Nov/2017:23:06:58 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [01/Nov/2017:23:06:57 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [01/Nov/2017:23:06:57 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [01/Nov/2017:23:06:54 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [01/Nov/2017:23:06:41 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59

 

AND

 

Quote

 

It looks like another temporary block was created because of POST requests:

24.248.14.55 - - [02/Nov/2017:22:26:54 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [02/Nov/2017:22:26:54 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [02/Nov/2017:22:26:55 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [02/Nov/2017:22:26:55 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [02/Nov/2017:22:26:55 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59
24.248.14.55 - - [02/Nov/2017:22:26:56 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59

The block has been removed however because of the amount of POST requests in such a brief period of time, you may want to check for possible script setting misconfiguration as Don suggested.

If you have any additional questions please let me know.

 

 

I know its the same information. They have since whitelisted my IP but I still cannot get to my site. Once I can get in, what should I look for?

 

 

[Numbered]

This problem source - many ajax requests per every symbol, entering to password fiels. On every keypress IPS send current data to server for get answer about password strengh and fast show this meter to user. If your server configuration should be as current (limit connections speed) - then you can just disable this meter in ACP -> Overview -> Security -> Security Settings. Switch 'Show password strength meter' to 'off'

[Optic14]

Your server security software OSSEC is triggering a false positive for the password strength meter on the member registration form.

You need to whitelist it so OSSEC will allow it to work.

This is something your host or server administrator really needs to fix...