Positive Fusion

An overly strict mod_security rule was placed into action this morning, this resulted in blocking numerous legitimate website visitors, though for only a brief period of time. In fact, our own website uptime monitoring service was temporarily blocked from accessing the server, resulting in a perceived downtime of approximately 15 minutes. Effected were any user agents that contained the words “fetch” or “site.”

This rule has been put into ‘log only’ mode, so it may be better tuned and prevent further innocent casualties.

The good news is that there have been a few more rules put into action that appear to be working well to stop the influx of ‘attack spam.’ These rules are very specific and targeted toward problem areas. They should not effect legitimate users. If, by chance, you or your visitors receive 406 errors (standard mod_security error), 412 (targeted mod_security error), or 503 (IP connection limiting in effect) let us know.

The goal, as always, is to make security filtering invisible to the legitimate user.

We have enabled login brute force detection. If you have forgotten your password for any service, please reset it, versus attempting multiple failed logins. After the fifth attempted login has failed you’ll be unable to try again for fifteen minutes. This measure is an attempt to quell the recent brute force attempts into the email services.

The issue preventing updates to the system has been resolved. Updates to Cpanel and related software has been completed. There was also an update to the email server software. This email server update necessitated changes to the email server configuration. Every effort has been made to keep email functionality the same; however some minor details such as blacklist filtering may need additional tuning.

If you experience difficulty in sending or receiving email and believe it to be related to this update please file a support request so it can be investigated.

A new Apache module has been installed that can be set to limit the number of connections a particular IP can make to a particular file at the same time. It is strongly felt this new module will greatly reduce the severity of comment spam attacks. The new module is currently being used in one particular location, the epicenter if you will of the recent attacks.

We had tried this methodology before; however that Apache module wasn’t well suited to the task and caused numerous false positives. The new module is much more simple, although it will provide a similar ‘503′ error when it intervenes. Again, this is not a server-wide implementation, and is currently in use only to protect against comment spam on a particular website.

This message is to address the problem we’ve had lately with these spam attacks, and to indicate one of the new methods we are using to address the issue.

Routine updates to Cpanel and related packages such as Perl & Imap email were processed this evening. There was no downtime and we don’t expect there to be any issues arising from these updates. If something has suddenly quit working properly please let us know.