1 IP temp block after php posts 300 seconds where to look for

I

ikkeben

Verified User
Joined
May 22, 2014
Messages
1,552
Location
Netherlands Germany
CentOS 7
PHP FPM 5.7 latest
MariaDB 10 latest
Suhosin latest
CSF latest
Custombuild 2 with DAscript from SM-TALK

Letsencrypt SSL https
Apache 2.4 latest and also http2

Here with a apllication php posts, the INternet service providers IP to directadmin User ip is Temp blocked for about 300 seconds while posts php (sofar i find out)
These Directadmin User/Websites we can though reach from another Internet service Providers IP, after resstings Router also from those PC's blocking this Websites on that ServerIP

(Ping is working fine)

Didn't find a error message or temp blocked IP in Log files so far.
Reproducable yes when more Posts in that PHP application have to be done it seems then this temporary block.

Other Sites on that directadmin Server and server itself is reachable from those PC's only the sites on IP / directadmin User that is Temp blocked not.

Wich error setting / log settings / files i have to take a look or i have to change?

Other older DA server without suhosin, and with MYSQL, apache 2.0, php 5.3 but same PHP Programm locations(Internet service Provider and Hosting Company) and apllication and settings didn't have these problems

in Access / error logs from that sites no errors only posts and get that were gone well.

Zend logo This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with the ionCube PHP Loader (enabled) + Intrusion Protection from ioncube24.com (unconfigured) v6.0.6, Copyright (c) 2002-2016, by ionCube Ltd.
with Zend Guard Loader v3.3, Copyright (c) 1998-2014, by Zend Technologies
with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2015, by Zend Technologies
with Suhosin v0.9.38, Copyright (c) 2007-2015, by SektionEins GmbH

ALSO:
htscanner support enabled
Click to expand...
 
Last edited:
If other website on the same server can be reached from the same IP actually i can explude CSF.

You may need to check logs in /var/log/httpd/domain/yourdomain.tld.error.log
It may be modsecurity.

It also may be an internal plugin in the website if that's not modsecurity action (if it is, you may see related errors in the log).

Best regards
 
SeLLeRoNe said:
If other website on the same server can be reached from the same IP actually i can explude CSF.

You may need to check logs in /var/log/httpd/domain/yourdomain.tld.error.log
It may be modsecurity.

It also may be an internal plugin in the website if that's not modsecurity action (if it is, you may see related errors in the log).

Best regards
Click to expand...

YEP IT ISN'T CSF ;) ( though server was reachable i placed the IP in allow and ignore was making ofcourse no difference)

Plugin i don't think while same was working on other older server, both none modsecurity. and nothing in error log about this or at that time the connection is/was blocked ( access log only shows the posts and so on going well, then form that connection nothing more after a short while ( minutes i think)
This newer Server have extra: Suhosin, newer php and Mariadb.. https/http2 and opcache newer apache 2.4 instead of 2.0

Also tried to use the user.ini setting max post and so one seems to makes no difference, not so much (PHP DATABASE) posts the aplication makes but it seems wen little more the temp block is set somewhere.
 
Last edited:
SeLLeRoNe said:
Try to disable suhosin so.

best regards
Click to expand...

have made some settings for that, wich is then the most easy way to dissable but settings saved, whiles disable enable in GUI ( MB Martynas IT)i think settings are gone?

Also we have to test at only moments we make/use the application when we think is to much... and i have time for this


How can i see wich settings SUHOSIN are responsible for this temp lockout, before on older server i remember there was a log file with messages pointing to suhosin... wen ?
 
Last edited:
Configurations for PHP and his modules can be found here: /usr/local/lib/php.conf.d/

Just matter of curiosity, where do you you see that the IP is blocked for 300 secs?

Best regards
 
Thanks,
We don's see 300 secs but it seems for that time about 5 minutes lockout, after that these domains on that Ip are reachable again from these PC's

Sofar i know rounded numbers makes sense, 180, 240 secs i don't think it is, but could be if some time delay in connection and our refreshes occures.
 
The BFM/CSF Integration written by Zeiter can tempblock a single port, so that would explain.. but would block all the website, not just one.

Can you check if your IP or Subnet is in the .htaccess file of the website while you're blocked?

Best regards
 
SeLLeRoNe said:
The BFM/CSF Integration written by Zeiter can tempblock a single port, so that would explain.. but would block all the website, not just one.

Can you check if your IP or Subnet is in the .htaccess file of the website while you're blocked?

Best regards
Click to expand...

All websites on that only IP blocked

Htaccess file themselves from that domains have in the Directory/MAP ( where the application for Synch is) a allow for these ip subnet.
 
Ah, so it is CSF!

If all website get blocked but not SSH/Mail acces, it is BFM asking CSF to Block an IP.

BFM/CSF Integration written by Alex have a function to tempban an IP for a predefined time just on a specific port.

So, now that's make sense! Check your BFM for information related to your IP.

Best regards
 
Sorry for misunderstanding

Yes Websites /(SERVERUSERname) on that IP are blocked but other websites on the same server other ip on that server are reachable form same Internetprovider ip PC inhere

IN BFM CSF i didn't find these IP'S for the lockouts, also i did put the IP on allow and ignore in CSF make no difference, wen CSF BFM this should?????

port wen lockout is 443 https didn't try 80

Mail we can't check because mailserver/domains all are set to hostname for mailsettings and smtp/pop/imap with that hostname server ip, wich is different, so isn't locked out ;)

Is it possible next to Suhosin that something with the PHPFPM user pool settings is doing such things?
 
Last edited:
When that happen you may want to check the temp ip entries in CSF, those IP should be there.

" IN BFM CSF i didn't find these IP'S for the lockouts, also i did put the IP on allow and ignore in CSF make no difference "

I'm not sure what do you mean by BFM CSF, those are two different application with two different place where to look for the IPs.

Are you sure the IP is whitelisted? It is present in the file /etc/csf/csf.allow? Has CSF been restarted? csf -r
Is CSF up2date? csf -u

Best regards
 
Yep 2 different i know.

Also whitelist ic checked before.

At this moment the problem was there.
New info's

The PC ( this one now but 2 others have same problem not totally random but with the synch wen more to posts) after this connection lockout, could reach other websites same server other ip from that server, also ping to the normal port from the connection blocked website was possible without errors.
The port for that website so browser and apllication is on https: though 443.

Strange also other pc could reach that website on that adres with same internet connection

So we have to look again to differences before and after:
New but same router is replaced with backup restored config.
Windows 10 pro Updates.
Some anti ransome software.
Https / http2
php mariadb updates and some more on da server

Therefore it could also be something with local security and or ssl sessions/ cookies whatever hmm?

It is hard to test while Produktiv system! ( while error problem is only a short time window showing max 5 minutes no connection no errors in log found)
 
Last edited:
Mmmmmh, ok, so maybe the computer have a firewall/antispyware/browser plugin that block the site?
Sound quite strange, but everything is possible :D Try with Incognito mode if possible and also try to start a browser without add-ons

Best regards
 
Hmm browsers different the application is a .net msql clientserver programm, with synchro to webshops on DA server Mariadb with a PHP connector.

Browser i just checked in my last reply was latest FF , so far i know the .net application using "IE" settings

So browser plugins i don't think.
Router or something based ( Hoster ( i im not aware of these) but Internet Provider in Combi with router could be i think also ( router part for filter is not accesible for us) on MAC Adress of this PC could also be possible.

Problem inhere is i must have time wen this error shows in only a short time window. hmm :(

I will try if time another internet provider and router also ofcourse.

Firewall windows 10 was the aplication and da-server ip set by me for testing , didn't solved it.

It happens on more then one computer! ( but if then only on 1)

Is there some dns / ns security on MAC ADRESS ?<>port part possible?
 
Last edited:
I don't think so.. it's very strange, it may also be the .net application itself that fail somehow or when that stop every browser stop to serve that domain?

Best regards
 
Hmm the application hasn't changed or updates, before it worked ok.

But So still it could be in combination with a update from Microsoft, i didn't found more of these equal problems in their support Forum.
 
Well if the application hasn't changed and neither the server i presume is the weather :D (And ofc by weather i mean Microsoft :P)

Anyway, have you tryed check windows logs and application logs (if it does have?) What application is that anyway if I can ask? :)

Best regards
 
Ye

German invoice and Stock (control) Programm for Products with connector to Webshop(s) is only in German Language.

Try the debug but that is somewhat hanging.

I will try more wen time to change / exchange anyway problem is/are Updates for everything so Wesbhops and this "WAWI" Warenwirtschaft Programm. ( newer versions are longer out there with a lot of BUGS/Trouble)
So updating or something else is a choice almost the same as to vote between Trump and Hillary was. ;)

Ofcourse i post here wen found it.

Ok if main problem is Windows sorry this is DA Forum. ;)
( in Windows and MSQL and IE this could be caused by version conflicts dotnetframework and so on)
Looks like loosing session / connection, then a kind of security probably with websites and browser.
I didn''t look quite good there because i thought nothing changed there and was working before. :(

LOG FILE windoow if this is causing i don't know the "APPCRASH" error "exception: 0x40000015":


Ok i come back if it is a DA error, if not sorry for your time bothering Forum User Support with this.

Update 17-11-2016 wen other people having same kind of problems reading this forum!:
Other router, other Internet service provider, more speed, seems to go now but testing time to short to be sure so for info only.


( in testing was old situation ( router and internetservice provider) apllication crash (windows10 pro synchro with PHP script from MS SQL server DB to also on https MariaDB DA SERVER), the websites ( also HTTPS) on that ip not reachable with different browser on only that one crashing PC for about 5 minutes only locked out that 1 pc, (more pc's crashing with same connection wen this script was running there only wen little to do no crashes)
Reseting Internet Connection so PC get another Internet Ip then Websites were Reachable, but still that Apllication crashes an after that Websites ofcourse again not reachable, in Firewall client and server side all allowed)
 
Last edited:
You must log in or register to reply here.
Back
Top