Malicious requests denied
-
So we have a client who keeps experiencing a similar issue and we’re not too sure why, he’s trying to log into his admin account of a site, but he’s trying to access it from home / other buildings.
For whatever reaosn Cerber keeps blocking him and then locking his IP address out.
If we look in the Dashboard we have a lot of:
“Form submission denied IP address is locked out
URL: quadram.ac.uk/autodiscover/autodiscover.xml”“14th February 2020, 8:24 am https://quadram.ac.uk/autodiscover/autodiscover.xml
POST HTTP 403 Forbidden 217 msForm submission denied IP address is locked out”
I’ve added his IP to the access list but he’s had this issue before when trying to log in from various different University buildings and such, would you know why this keeps blocking him?
Why does it think he’s requesting a strange XML page when he’s just trying to log in through the standard login page?
-
So we keep getting legitimate users on the website blocked for some reason.
The site is accessible by many different university campuses so a lot of these blocked users are trying to use the website for various resources fro work and need to be able to access the site. But it seems after the first few requests, the IP address of each of these users keeps getting blocked.
Reviewing the logs it even seems users get blocked for just using the site legitimately.
E.g.
12th March 2020, 7:24 pm https://quadram.ac.uk/UKfoodcomposition/wp-content/themes/quadramfoodbanks/favicon.ico
GET HTTP 404 Not Found 280 msIP blocked Multiple suspicious requests
92.236.10.228
cpc87279-slou4-2-0-cust227.17-4.cable.virginm.net Safari on Macintosh
Referrerhttps://quadram.ac.uk/UKfoodcomposition/?s=chickpeas&submit=Search
User agentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15
So it looks like the above user was just trying to use the search form and got blocked?
Another example can be seen below:
15th March 2020, 10:34 pm https://quadram.ac.uk/UKfoodcomposition/wp-content/themes/quadramfoodbanks/favicon.ico
GET HTTP 404 Not Found 638 ms DetailsIP blocked Multiple suspicious requests
51.146.80.170
51.146.80.170 Safari on Macintosh
Referrerhttps://quadram.ac.uk/UKfoodcomposition/food-list/page/130/
User agentMozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15
This user seems to have gotten blocked for just navigating to page 130 of this URL: https://quadram.ac.uk/UKfoodcomposition/food-list/
Can you please explain to me why it just seems to randomly block users?
Another example if required; this time from a building at the University of Stafford.
14th March 2020, 1:30 pm https://quadram.ac.uk/UKfoodcomposition/wp-content/themes/quadramfoodbanks/favicon.ico
GET HTTP 404 Not Found 1252 ms DetailsIP blocked Multiple suspicious requests
109.246.153.35
no-dns-yet.as25178.net Safari on iPhone
Referrerhttps://quadram.ac.uk/UKfoodcomposition/?s=Steak&submit=Search
User agentMozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1
Again, they are seemingly blocked just because of doing a site search?
I have noticed the favicon.ico URL seems to occur quite a lot within these errors. Is it possible the 404 on the favicon are causing an issue?
The topic ‘Malicious requests denied’ is closed to new replies.
