Michael Harshbarger Posted November 3, 2017 Share Posted November 3, 2017 When users try to create their own account or when admins try to create it for them and when users try to post to the forums we are getting a connection timeout. Contacted my server and they sent me this info: Quote In checking I found that there was a 10 minute temporary ban on connections from your IP at the time you wrote in: Wed Nov 1 23:07:01 EDT 2017 /var/ossec/active-response/bin/host-deny.sh add - 24.248.14.55 1509592021.30535002 31533 Wed Nov 1 23:17:04 EDT 2017 /var/ossec/active-response/bin/host-deny.sh delete - 24.248.14.55 1509592021.30535002 31533 The temporary ban was dropped automatically 5 minutes later. The ban by the server's security software was triggered by too many POSTs within a short period of time. For some reason the following script was POSTed two 8 times in less than 20 seconds, including 6 POSTs over a 2-3 second period: 24.248.14.55 - - [01/Nov/2017:23:06:59 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 60 24.248.14.55 - - [01/Nov/2017:23:06:59 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [01/Nov/2017:23:06:58 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [01/Nov/2017:23:06:58 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [01/Nov/2017:23:06:57 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [01/Nov/2017:23:06:57 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [01/Nov/2017:23:06:54 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [01/Nov/2017:23:06:41 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 AND Quote It looks like another temporary block was created because of POST requests: 24.248.14.55 - - [02/Nov/2017:22:26:54 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [02/Nov/2017:22:26:54 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [02/Nov/2017:22:26:55 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [02/Nov/2017:22:26:55 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [02/Nov/2017:22:26:55 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 24.248.14.55 - - [02/Nov/2017:22:26:56 -0400] "POST /forums/?app=core&module=system&controller=ajax&do=passwordStrength HTTP/1.1" 200 59 The block has been removed however because of the amount of POST requests in such a brief period of time, you may want to check for possible script setting misconfiguration as Don suggested. If you have any additional questions please let me know. I know its the same information. They have since whitelisted my IP but I still cannot get to my site. Once I can get in, what should I look for? Link to comment Share on other sites More sharing options...
Numbered Posted November 3, 2017 Share Posted November 3, 2017 This problem source - many ajax requests per every symbol, entering to password fiels. On every keypress IPS send current data to server for get answer about password strengh and fast show this meter to user. If your server configuration should be as current (limit connections speed) - then you can just disable this meter in ACP -> Overview -> Security -> Security Settings. Switch 'Show password strength meter' to 'off' Link to comment Share on other sites More sharing options...
Optic14 Posted November 3, 2017 Share Posted November 3, 2017 Your server security software OSSEC is triggering a false positive for the password strength meter on the member registration form. You need to whitelist it so OSSEC will allow it to work. This is something your host or server administrator really needs to fix... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.