| Posted by Lancia, 07-30-2010, 03:45 AM | | Over the past several months, a few visitors to my site have reported getting blocked by my web server. Sure enough, when I check the logs, I see CSF has temporarily blocked their IP addresses because of repeated attempts to make incoming connections on port 443. Only ports 80 and another randomized SSH port are open in CSF, and I have never used HTTPS on my site (this is a dedicated server for one site).
I've had reports from both IE and Firefox users, and a look at their activity in the Apache logs shows nothing unusual. Reviewing the CSF logs shows that there are actually 6-8 people blocked per day for attempts to connect on port 443, but I suppose they didn't (or now can't) get their complaints to me.
Does anyone have an idea as to what could be going on here, or the best way to work around this problem? I'd appreciate any thoughts or feedback you experts can provide.
|
| Posted by madaboutlinux, 07-30-2010, 04:46 AM | | Can you paste the CSF/LFD logs here where you see the people are blocked due to 443 port?
|
| Posted by fwaggle, 07-30-2010, 10:15 AM | | There's a plugin for Firefox that HTTPS-ifies everything, supposedly for paranoid people or whatever. Someone visiting your site with such a plugin would likely hit port 443 a few times during their visit. I forget where or why it was posted, but it got a lot of attention a little while ago.
I would probably unblock 443 in CSF (even if you don't enable it in your web server), or at least (I've never used CSF) see if you can exempt it from the fail2ban type behavior. I'd think blocking people for hitting port 443 on a webserver would be considered pretty rude (the firewall's behavior, not yours), right up there with blocking hosts on port 25 unless you have an MX record pointing elsewhere.
|
| Posted by techstar, 07-30-2010, 03:48 PM | | I haven't seen CSF blocking IPs for hitting port 443. Could you paste the CSF/lfd logs here that says the IP was blocked for hitting the port 443 repeatedly? May be you misread. No offense please.
|
| Posted by Lancia, 07-30-2010, 05:04 PM | | Thanks for all your comments, guys. I'm a little paranoid about security, but I admit I am no expert - are you sure it'd be OK to open up the port even if Apache isn't listening there?
Here's a copy of just a few of the email reports generated by several different blocked addresses from just a few hours ago. First octets have been changed to protect the innocent (or maybe the guilty!).
|
| Posted by brianoz, 07-31-2010, 11:08 PM | | It's completely fine to allow a few ports through the firewall that nothing is listening to. It's a bit like giving someone a door key and when they open the door they face a solid brick wall. They need a listening process to get in, for most things. It's still wise to leave as many ports closed as possible.
|
| Posted by Lancia, 08-04-2010, 07:46 PM | | Thanks, brianoz, I will probably just do that and open the port.
|
|
 Add to Favourites
 Print this Article
|
