Forum

Need help understanding error message

Fred
20 June 2016, 20:08
Hi Hugo,

We keep getting the error message 
444, "Banned Due To Misconduct"

We have 
ConnectionsPerIP = 32
and only a maximum of 3 tabs open when we get the message.
The problem is intermittent and tend to go away of we refresh the screen.

Could you please explain what this message mean and how to stop it pop in up?

Thank you
Fred
Hugo Leisink
20 June 2016, 20:26
How many users are connection from the same IP address you are connecting from?
Fred
21 June 2016, 10:18
Hi Hugo,
We have two developers each working from home..
So 2 users on 2 different IP address. I can have about 3 tabs open at the same time..
I don't know if that's relevant but we also have 3 ftp tabs open to the same sites..
Is there any debug I could use?
Hugo Leisink
21 June 2016, 14:16
Use the command line tool lsof to see how many connections there are with the webserver:
sudo lsof -n | grep TCP | grep http | grep ESTABLISHED
Fred
21 June 2016, 14:16
Hi Hugo,
The problem happened agian this morning and this time I managed to get this from the log
77.99.233.xxx|Tue 21 Jun 2016 13:01:12 +0100|Client banned because of flooding

All I did was accessing a php page...
This is a static site so I don't understand why it happen so often
Hugo Leisink
21 June 2016, 14:17
Can you show me your configuration file?
Fred
21 June 2016, 14:35
####################################################################
# Hiawatha main configuration file
# Tuned for WordPress.

################ Set Variables #####################################
# variables are case-sensitive and cannot be re-declared.
#
 set LOCALHOST = 127.0.0.0/8
 set MyIPv4 = 10.8.20.xxx
 set TrustedIP_1 = 82.27.197.xxx         # Whitelist office IP Address (red hall drive)
 set TrustedIP_2 = 86.8.75.xxx           # Whitelist Head Office IP Address (stonegate road)
 set TrustedIP_3 = 10.8.20.xxx            # WHitelist proxy server IP Address

################ General Settings ##################################
 #MonitorServer = 192.168.1.125                         #  IP address of the Hiawatha Monitor server
 ServerString = Hiawatha
 ServerId = www:www
 HideProxy = 10.8.20.xx
 ConnectionsTotal = 4096                                # Maximum number of simultaneous connections. Default = 100
 ConnectionsPerIP = 32                                  # Maximum number of simultaneous connections per IP address. Default = 10
 MaxUrlLength = 1000                                    # Maximum length of the path of an URL that the webserver accepts as being valid
                                                        # Otherwise, a 414 error code is returned
                                                        # Default = 1000
 SystemLogfile = /var/log/hiawatha/system.log
 GarbageLogfile = /var/log/hiawatha/garbage.log
 ExploitLogfile = /var/log/hiawatha/exploit.log         # xss sqli etc
 #ThreadKillRate = 10                                   # Free unused threads
 #CacheSize = 8                                         # Size of Hiawatha's internal file cache. Maximum is 1024 (megabytes). Default = 10
 #CacheMaxFilesize = 512                                # Maximum size of a file Hiawatha will store in its internal cache. Default = 256
 MinTLSversion = 1.2                                    # Specify the minimum TLS version Hiawatha accepts for HTTPS connections
                                                        # Default = 1.1 (last updated 03/09/16)

 DHsize = 4096                                          # Set the size of the Diffie-Hellman key.
                                                        # Default = 2048

 SocketSendTimeout = 30                                 # Sets the SO_SNDTIMEO value for all client connection sockets
                                                        # Default = 3

 ReconnectDelay = 3                                     # How long connection wil stay open after no traffic

### Whitelist business IPs ###
 LogfileMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3

 # This network can upload all they want
 RequestLimitMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3

################ Binding Settings ##################################
 include bindings.conf

################ Banning Settings ##################################
# Deny service to clients who misbehave.

 # NEVER ban whitelisted IP Address
 BanlistMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3
 KickOnBan = yes                                # Close all connections for an IP that is banned
 RebanDuringBan = yes                           # Reset the ban-time when a client tries to reconnect during a ban

 ChallengeClient = 200, httpheader, 60          # Challenge the client to verify that it's a real web browser and not an HTTP bot
 #ChallengeClient = 768, javascript, 15         # After 200 connects send a coockie
 BanOnFlooding = 10/1:15
 BanOnGarbage = 300                             # seconds
 BanOnInvalidURL = 60                           # seconds
 BanOnMaxPerIP = 15                             # seconds
 BanOnMaxReqSize = 300                          # seconds
 BanOnWrongPassword = 3:120                     # seconds
 BanOnSQLi = 3600                               # seconds
 BanOnDeniedBody = 120                          # seconds

################ Common Gateway Interface Settings #################

 CGIhandler = /usr/local/bin/ssi-cgi:shtml
 CGIhandler = /usr/local/bin/php-cgi:php

 FastCGIserver {
         FastCGIid = PHP5-FPM
         ConnectTo = /var/run/php-fpm.sock
         Extension = php
 }

  FastCGIserver {
         FastCGIid = PHP5_SHTML
         ConnectTo = /var/run/php-fpm.sock
         Extension = php, shtml
 }

################ URL Toolkit Settings ##############################
 include toolkit.conf

################ Directory Settings ################################
 include directory.conf

################ default Website Settings ##########################
# protect from automated webscanners
 Hostname = 127.0.0.1
 WebsiteRoot = /usr/local/www/hiawatha
 StartFile = index.html
 AccessLogfile = /var/log/hiawatha/default.access.log
 ErrorLogfile = /var/log/hiawatha/default.error.log
 #ErrorHandler = 404:/error.cgi

VirtualHost {
 Hostname = dev.mydomain.co.uk, www.dev.mydomain.co.uk
 WebsiteRoot = /usr/local/www/development/httpdocs
 #StartFile = index.php
 StartFile = index.shtml
 UseLocalConfig = yes                           # Tell Hiawatha to use or ignore .hiawatha files
 CustomHeader = X-Frame-Options: sameorigin
 CustomHeader = Vary: Accept-Encoding
 #RequireTLS = yes,31536000                     # Force TLS connection
 RandomHeader = 512                             # Anti decryption on https listening
 #TLScertFile = /usr/local/www/production/tls/softfloorkids.co.uk.pem
 AccessLogfile = /usr/local/www/development/httpdocs/logs/access.dev.softfloorkids.co.uk.log
 ErrorLogfile = /usr/local/www/development/httpdocs/logs/error.dev.softfloorkids.co.uk.log
 TimeForCGI = 15
 #UseFastCGI = PHP5-FPM
 UseFastCGI = PHP5_SHTML
 ExecuteCGI = yes                               # Allow execution of CGI programs.
                                                # Default = no

 #UseDirectory = cache-control-1w, cache-control-2w, cache-control-2m
 #UseToolkit = secure-wp, wordpress
 #UseToolkit = wordpress, cache-control
 #UseToolkit = wp-multi-subdir
 #UseToolkit = joomla
 UseToolkit = block_bots

################ Security Settings #################################

 DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$    # If the request body matches the case insensitive regular expression, return a 403 Forbidden

 #PreventCSRF = yes                             # Ignore all cookies sent by a browser when following an external link
                                                # Can cause problems for wordpress
                                                # Default = no

 #PreventSQLi = yes                              # Prevent SQL-injection by detecting injections and denying the request via a 403, 404 or 441 response.
                                                # NOT 100% guarantee, resource intensive!

 #PreventXSS = yes                               # Prevent cross-site scripting via the URL by replacing a less-then, greater-then, quote or double-quote in the URL with an underscore.
                                                # Default = no
 #WrapCGI = jail_dev.softfloorkids.co.uk
}


Fred
21 June 2016, 14:42
BanOnFlooding = 10/1:15

Can this be it?
I really doupt we are that quick as human..
Fred
21 June 2016, 20:37
Hi Hugo,
No idea if its a known problem but I found this blog sugesting issue with Chrome browser (the same as I use)

Could you please tell me if you are aware of any issue with Chrome browser?
Fred
21 June 2016, 20:38
Sorry cannot insert link.
I get Message seen as spam.
Hugo Leisink
21 June 2016, 21:24
Can this be it?
I really doupt we are that quick as human..

If your website contains more than one stylesheet, image and javascript, that could be it. Remember that requesting one page usually results in multiple requests. Each for every stylesheet, image and javascript.
Fred
21 June 2016, 21:46
Thank you for the response. I didn't think of tylesheet, image and javascript.
Do you have any safe setting to give or is it pretty much experiencing with the value?
Hugo Leisink
22 June 2016, 01:13
Simply don't use that setting unless someone is really DoS-ing you. A sane value would be the most amount of resources in a page plus some extra to be sure.
This topic has been closed.
Back
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.