d.a.n Posted November 9, 2005 Posted November 9, 2005 Some fixed IP adddresses on different computers, different cities, and different ISPs are getting blocked trying to access: http://void.poliwatch.org/ and http://www.poliwatch.org/void/ However, dial-up always works, because it acquires a new IP address upon each dial-up. Is it possible the Name Servers are pointing to the wrong place. The problem came on gradually. In the beginning, the web-page could be reached from different places (different cities). Then, gradually, one-by-one, each stopped working (page not found error). But, dial-up works and if DHCP is turned ON, and the IP Address is renewed, the new IP Address will work for a while. It's like something is monitoring and saving IP addresses of sites viewing http://void.poliwatch.org/ and then blocking that IP address. It's seems it must be something on a tch host server, or something in the Webpage that's filtering and blocking. The Webpage has been checked and rechecked, and nothing was found. The page uses Movable Type 3.2. and it can block IP addresses, but the list is empty. If it's not the web-page, it seems it must be something on the TCH server. Has anyone seen a similar problem ?
TCH-Andy Posted November 9, 2005 Posted November 9, 2005 Hi d.a.n Welcome to the forums The best thing to do is to open a ticket at the help desk (link at top of page) and give us a list of some of the IP addresses being "blocked" and we will take a look.
Head Guru Posted November 9, 2005 Posted November 9, 2005 List some of the Ip's that are blocked and I will check our firewall for them. If the firewall blocked them it will be easy to tell. Bill
Head Guru Posted November 9, 2005 Posted November 9, 2005 Your IP addresses have been firewalled by our firewall for excessive brute force login attempts. I have removed the IP addresses from the firewall. Please do not attempt this again as it could result in suspension of services.
d.a.n Posted November 11, 2005 Author Posted November 11, 2005 Welcome to the forums, d.a.n! Thank you, The problem was resolved. The IP addresses were blocked, but have since been unblocked. I was having trouble due to the wrong username and password. I was not aware for days that my IP addresses and others at friends and associate sites had been permanently blocked, until requesting TCH check them. They unblocked them. However, some of our users may have accidentally made the same mistake I did, and attempted to login more than three times (that's the limit ?). I will warn all of our users to be extremely careful, and stop trying if it doesn't work the first or second time, since the TCH policy seems to be to permanently block IP addresses after so many failed attempts to login. A recommendation to consider would be to only temporarily block IP addresses for failed FTP attempts (i.e. for 30 minutes, an hour, etc.). Also, it would be nice if an FTP account is blocked, that a message was displayed that their IP address had been blocked. And, in addition, does it make sense to block all protocols ? Once the IP address is blocked for failed FTP attempts on ports 20 and 21, does it make sense to also block HTTP ports. Because, the location can't even view their own web-page anymore. Otherwise, the problem is compounded further and leads to more failed attempts, because they go to the provider of the FTP account, ask to confirm the username and password, then perform more retries. The administrator of the account tries it and says it works for him, and he doesn't understand what the user's problem is either. Everyone is stumped. Little did they know, the user with the fixed IP address would never get logged in, no matter how many times the administrator changed their username and password. Fortunately, for me, I was able to deduce that TCH was blocking the IP address. Therefore, I temporarily used dial-up (very slow) to access our web-site. Then, I politely requested that it be unblocked. And this is the response I got: _________________________________________________________________ Fixed IP Addresses being blocked A TotalChoice Staff Member has replied to your Help Desk Ticket with the following: I have unblocked the IP's. Further abuse of our network may result in the suspension of your account. Repeated failed logins are resulting in your IP being blocked. Warmest Regards, Bill Kish General Manager TotalChoice Hosting, L.L.C ___________________________________________________________________ How about that? So, I'm a network abuser and threatened to have my account suspended? What account? I'm not even the owner of the account, and said so in the very first correspondence above. But, in all fairness, at least he conveyed the accusation and threat with the "Warmest Regards". NOTE: We were not trying to abuse the network. More than one person made the same mistake. It's a very common mistake. Also, the odd thing was, that the IP blocking didn't occur until later. But, when people can't get logged in, they naturally retry. They think they mistyped something, so they type it in again. Still, no luck. So, they think, well, let's try it in uppercase and lowercase. Then, they might capitalize the Username. Then, they might add the first letter of their last name to the username. Then, they might try one more time and give up. Or, like me, I tried different usernames and passwords that had worked previously, but now no longer worked (and they had been saved in a FTP profile). Little does the person what's going on, but they have now been identified as a network abuser, and banned. Not knowing what's going on, they call other people and ask them to try it. Some can get in, and some can't . So they try a dial-up account, which usually gets in, because their IP addresses change each dial-up. Some persons with fixed IP addresses can't get logged in, because they've been permanently blocked too. Business and operations come to a halt, and there is much confusion and frustration. Data and information can't be transferred. Then, when politely asking to check and unblock three IP addresses, the user is accused of abusing the network and threatened with the removal of their account ? Security is a valid issue for concern, but there must be a better way. But, I fear we may have other users in the future that will make the same mistake. What should we do ? Will we be able to request they be unblocked after we warn them to never make more than 3 mistake trying to log in ? And, don't try different usernames and passwords that used to work either, because that will only compound the problem. Plus, do we need to warn all users that if their HTPP is blocked too, it's probably TCH banned them ? So, perhaps you can see the problem? We're afraid we most likely will be revisiting this problem. But, there's a good lesson in this. Whenever people go about selecting a host for their web-pages, they might first want to ask about the IP address blocking policies. Temporary IP blocking would greatly reduce the problem. Permanent IP blocking for all protocols (FTP and HTTP), will most certainly lead to blocked communications. At any rate, thank you for unblocking the IP addresses. It appears to be working OK now (for me). |
Madmanmcp Posted November 11, 2005 Posted November 11, 2005 d.a.n, the blocking of access after repeated failures is a standard practice and a security must have. If TCH were to remove this "feature" I would be looking elsewhere for a more secure host. You never know when someone is going to attempt a brute force attack on your web sites and without this protection you are a sitting duck. Now its a simple matter to tell folks not to do what was being done. I am surprised that folks continued over and over again after failing a couple times. After about three times I know I typed it right and further attempts and guessing at what it might be is a waste of time. I and others also know that after X amount of retries in a short timeframe will cause a lockout. So educate the users and explain if they want to keep trying, do it in lengthier periods, for instance wait 15 minutes before trying again. But this is not going to help...if a password doesn't work, there is usually another reason for it not working and beating it with a hammer is not the right answer.
d.a.n Posted November 13, 2005 Author Posted November 13, 2005 d.a.n, the blocking of access after repeated failures is a standard practice ... Yes, I understand. It's really the permanent blocking that's a problem. Right now, I just tried twice, and it failed. I don't know why. I don't think I typed wrong twice, but I'm afraid to try anymore. It used to work. Now it doesn't. Something must have changed somewhere?
TCH-Dick Posted November 13, 2005 Posted November 13, 2005 (edited) Looks like it was more than twice The following are event logs for 19 login failures from 24.0.211.6 on service proftpd (all time stamps are GMT -0500): I would suggest you have the Account owner open a ticket to have the block removed and you may want to have someone with access to the site reset your user/password. Also please be advised that anonymous FTP is disabled on all servers, so repeated attempts to login that way will only make the matter worse. Edited November 13, 2005 by TCH-Dick
Recommended Posts