versasslover Posted April 28, 2020 Report Posted April 28, 2020 I'm on Cox in Las Vegas, and since a couple of days unable to reach the site. IPv4. Switching to a VPN solves it for now. Quote
oinktall Posted May 2, 2020 Report Posted May 2, 2020 Not just connection issues but my xfinity Wi-Fi in Denver CO started actively blocking this website a few weeks ago. I use mobile data to access it on my phone, but I'm going to dig around my firewall settings and try to find out why it's blocked. Quote
Administrators rawTOP Posted May 24, 2020 Author Administrators Report Posted May 24, 2020 Just so you guys know… I'm continuing to tweak the algorithm that's banning some of your IP addresses. Things that are typical of problem users put you on a really short leash. Things that are typical of good users increase what I let you do on the site before your activity looks too suspicious and I ban you. One of the most important things is to not block reCAPTCHA. I can't stress that enough. I use Google's reCAPTCHA v3 – it operates behind the scenes and tells me how likely it is that you're a bot. Bots know not to load reCAPTCHA (thinking no score is better than a bad score), so if you don't load it, then you look like a bot and you'll trip the algorithm very quickly and get banned. If your privacy controls block reCAPTCHA, then whitelist it. Otherwise you'll probably eventually get banned. If you do get banned, try again in 3-4 days. Most of the time the ban period is pretty short. 1 Quote
Administrators rawTOP Posted May 26, 2020 Author Administrators Report Posted May 26, 2020 I just did a change that will make it much less likely for legit users to get banned. Here's what is needed to qualify for the new criteria… Have logged into chat in the past 6 months (starting with logins ~now) and not have deleted your cookies since that time Not look like a bot to reCAPTCHA v3 or be blocking reCAPTCHA It's highly unlikely you'll be blocked if you pass those two tests. If you are currently blocked and want your IP address unlblocked, do the following (this offer is not available to New Members)… Click on this link. Then change to the network where you're having problems and reload that page. Make note what it says for "IPv4" – that's the IP address with the problem. Switch back to the network that lets you view this page and send that IP address to me in a DM. I don't promise I'll unblock your IP, but it will give me a better idea of what's triggering blocks and if you seem legit, I'll undo the block. Senior members will most likely be unblocked. Quote
tighthole64 Posted May 26, 2020 Report Posted May 26, 2020 (edited) Tried to connect to chat for first time today, got this meassage. Browser ID could not be determined. Your login cannot be verified. Tried again and said email not verified, so did that. Hope that works Edited May 26, 2020 by tighthole64 Quote
Administrators rawTOP Posted May 26, 2020 Author Administrators Report Posted May 26, 2020 2 hours ago, tighthole64 said: Tried to connect to chat for first time today, got this meassage. Browser ID could not be determined. Your login cannot be verified. Tried again and said email not verified, so did that. Hope that works The first part is pretty normal. There's a whole thread about it. The second part means you need to change or validate your email in the system powering chat (which is different but semi-connected to the forums). There's no error there. I started working on syncing the two systems, but got distracted by other things. I'll get back to it in the near future. 1 Quote
mass1ve Posted June 18, 2020 Report Posted June 18, 2020 @rawTOP Used to be able to connect, now we tunnel through SSH to an offshore server. NBD, but there ARE some improvements you could make to the site that would make it less attractive to bots and such. x-powered-by: PHP/7.2.30 the latest PHP is 7.4, and you should be running it behind php-fpm. at no point should the version string be present in the sites headers. This gives spammers a known target. server: Apache Scrub this. connecting clients dont need to know this is an Apache server and it also makes an attractive target for bots. You should be running fail2ban to automate most of the heavy lifting for bot and hacker bans. fail2ban can even do scripted callouts to your hosting providers firewall. Your strict transport security is also misconfigured, appearing twice... strict-transport-security: max-age=63072000 content-length: 177928 last-modified: Thu, 18 Jun 2020 16:18:51 GMT strict-transport-security: max-age=15768000 the sites cryptography also does not specify a cipher order... Quote
Administrators rawTOP Posted June 18, 2020 Author Administrators Report Posted June 18, 2020 3 hours ago, mass1ve said: @rawTOP Used to be able to connect, now we tunnel through SSH to an offshore server. NBD, but there ARE some improvements you could make to the site that would make it less attractive to bots and such. x-powered-by: PHP/7.2.30 the latest PHP is 7.4, and you should be running it behind php-fpm. at no point should the version string be present in the sites headers. This gives spammers a known target. server: Apache Scrub this. connecting clients dont need to know this is an Apache server and it also makes an attractive target for bots. You should be running fail2ban to automate most of the heavy lifting for bot and hacker bans. fail2ban can even do scripted callouts to your hosting providers firewall. Your strict transport security is also misconfigured, appearing twice... strict-transport-security: max-age=63072000 content-length: 177928 last-modified: Thu, 18 Jun 2020 16:18:51 GMT strict-transport-security: max-age=15768000 the sites cryptography also does not specify a cipher order... Thanks for your feedback. It's always good to get a perspective from someone who knows something about server admin. I'm on PHP v7.2 rather than 7.4 because it's the version that's part of the stable build of my OS. And it is using php-fpm – that's the only way to get HTTP/2 to work properly. I'll ask my host to turn off the x-powered-by header – doing so is not a bad idea. That said, it's probably clear the site is running IP.Board and IP.Board is php-based, so turning off x-powered-by only really hides the version number. Apache doesn't like/support turning off the server header. Just showing Apache with no version number is the compromise. That said, I'll ask my host to turn it off. Maybe they can. I'll look further at fail2ban, but it may conflict with what I've already written. fail2ban will never be able to detect who's spammed the site, etc. though it will do a better job with other types of attacks. When I tested I only saw the strict-transport-security header once in the response header. But when I ran the site through an SSL test (see below) it complained about duplicate headers. I did find the htaccess rule that was setting it a second time. But now I'm a bit confused what's setting it the first time. But it's working, so I'm not going to complain. As far as specifying a cipher order, if I understand the issue correctly, I don't really see the point. I've disabled all the insecure ciphers. Doing so is necessary to get an A+ rating on the "SSL" test… https://www.ssllabs.com/ssltest/analyze.html?d=breeding.zone So if there are no possible insecure ciphers, it doesn't matter which the browser uses. Quote
mass1ve Posted July 14, 2020 Report Posted July 14, 2020 @rawTOP tls issues today with the site cert? things were down for a few hours today. was there an issue with the rollout or update? certbot has a module for Apache that handles autorenewal as well as the reload. Quote
Administrators rawTOP Posted July 15, 2020 Author Administrators Report Posted July 15, 2020 On 7/14/2020 at 4:58 AM, mass1ve said: @rawTOP tls issues today with the site cert? things were down for a few hours today. was there an issue with the rollout or update? certbot has a module for Apache that handles autorenewal as well as the reload. I was busy and didn't ask my host exactly what went wrong, but it was NOT a cert renewal problem – they renew automatically. Quote
Guest takingdeepanal Posted July 16, 2020 Report Posted July 16, 2020 On 7/14/2020 at 6:58 PM, mass1ve said: @rawTOP tls issues today with the site cert? things were down for a few hours today. was there an issue with the rollout or update? certbot has a module for Apache that handles autorenewal as well as the reload. 10 hours ago, rawTOP said: I was busy and didn't ask my host exactly what went wrong, but it was NOT a cert renewal problem – they renew automatically. I had troubles as well - but figured that it was a maintenance issue. Main thing is that the site is running! 🙂 Quote
Guest Posted July 16, 2020 Report Posted July 16, 2020 Having the same issues connecting from my home wifi network, no issue from my cellphone data plan. I'll try unplugging the router overnight and see if it helps. Quote
Guest xsodomyx Posted July 29, 2020 Report Posted July 29, 2020 I also can't access the site without a VPN - Mind you, I just joined, I've done nothing wrong 😭 Quote
Administrators rawTOP Posted August 7, 2020 Author Administrators Report Posted August 7, 2020 So, everyone say thank you to @thejadoman… He got in touch with me and gave me information that let me figure out the problem. Turns out a database table I thought only had spammer IPs in it, also had good IPs. I now know how to tell the difference. Quote
Guest Posted August 7, 2020 Report Posted August 7, 2020 I can finally connect now, thanks a lot Quote
Recommended Posts