Announcement

Collapse
No announcement yet.

External address getting blocked after a few page views

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Steve,

    I don't know if you use my Homeseer log Searcher (or Ultralog) but if you search for 'blocked' you get a list of blocked IP's for the day. If you then search for the blocked IP address, for that day you get interesting results. For me, I have found that occasional legitimate guest access can be immediately blocked or as it should work on failed access. They do however all seem to be captured with Whois in my case.
    Jon

    Comment


      #17
      I've used Jon's WhoIs for a while now. I do not get blocked & failed attempts in the WhoIs log, though the script does pick up attempts where a username was entered, like the Chinese 'admin' probes.

      As I mentioned above, I would like the attempts logged and automatic blocking logged so I can see how bad the problem is from day-to-day.

      Michael

      Comment


        #18
        Jon00,

        I have looked at UltraLog, and filtered on "Web Server" entries. It's got me even more confused. There are some non-routable IP addresses (192.*.*.*) that have been blocked and re-enabled. My network is on a different non-routable set of addresses (10.10.10.*), so it is actually not possible for these to have attempted access to my HS machine. So I'm pretty sure SOMETHING is wrong, even if it is harmless.

        I haven't looked at all entries, but most of the one's in my router's firewall log are SMTP attempts (up until a couple of months ago I had my own mailserver running). Those are blocked at the router, so don't get to HS. My router log isn't long enough to go back very far, but on first blush I don't see anything over the past few days where any of the IP addresses match. I am confused...

        Steve

        Comment


          #19
          Originally posted by michael.davis View Post
          I've used Jon's WhoIs for a while now. I do not get blocked & failed attempts in the WhoIs log, though the script does pick up attempts where a username was entered, like the Chinese 'admin' probes.

          As I mentioned above, I would like the attempts logged and automatic blocking logged so I can see how bad the problem is from day-to-day.

          Michael
          I expect I could add that option to Whois. I did update Whois last year to make the search routine faster but never published it. May be worth doing with this new feature?
          Jon

          Comment


            #20
            Now that I have modified whois to also show blocked IP's, it does look there is a problem.

            If you look at the screen shot, there are 3 failed attempts and then that IP is blocked. That seems to be working OK.

            We then get someone who has been on my site for about 6 minutes and then suddenly blocked.

            Finally one person who tries twice over a different time period is immediately blocked after gaining legitimate guest access.
            Attached Files
            Jon

            Comment


              #21
              Jon (and everyone else): It looks like there was nothing in HS Beta 2.3.0.33 (http://board.homeseer.com/showthread.php?t=133803) that would address this. I didn't enter a ticket on the problem. Has anyone?

              I don't actually get many of these on my server, but my brother is getting quite a few (at least, some days). I do my management of his system remotely, and am not looking forward to getting locked out.

              Jon: Are you still seeing some legit users getting booted off your site?

              Steve

              Comment


                #22
                I have not entered a help-desk ticket on this. So far over a 7 day period, I have had 4 people locked out for no reason. I'm trying to look for a pattern but everything so far just seems to be random.
                Jon

                Comment

                Working...
                X