Hi all,
We have a really weird issue, currently running RT4.0.8 but it was also
present before we upgraded from 3.8.4 to 4.0.8 on CentOS 6.3 w/
2.6.32-279.14.1.el6.x86_64 on x86_64, Apache/2.2.15 on Xeon CPU E5607 @
2.27GHz, 4 core.
When performing certain functions in the web interface, such as sorting
a list of tickets by number or priority, a mystery process writes the IP
address of the user to hosts.deny (blocking access to all services on
the server) and after a short period of time, the address is purged from
hosts.deny and the user doing the sorting can once again access RT.
The IPs for these users are already present in hosts.allow (and are
obviously being ignored). Fail2ban is not installed. Denyhosts is not
installed. SELinux is disabled. We only have about 3000 tickets in RT,
and performance is great. Except when you go to sort a list (could be
10, or 200 tickets) and you're locked out momentarily. Additionally,
OSSEC reports "A web attack returned code 200 (success)" at the moment
the IP is written to hosts.deny and apache access log reads:
GET
/Search/Results.html?Format=%27%20%20%20%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__id__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3A%23%27%2C%0A%27%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__Subject__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3ASubject%27%2C%0A%27__QueueName__%27%2C%0A%27__Priority__%27%2C%0A%27__CreatedRelative__%27%2C%0A%27__LastUpdatedRelative__%27&Order=DESC&OrderBy=id&Page=1&Query=Owner%20%3D%20%27assistant%27%20AND%20Status%20%3D%20%27open%27&Rows=100
HTTP/1.1" 200 32147
"https://rt.mydomain.org/Search/Results.html?Format=%27%20%20%20%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__id__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3A%23%27%2C%0A%27%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__Subject__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3ASubject%27%2C%0A%27__QueueName__%27%2C%0A%27__Priority__%27%2C%0A%27__CreatedRelative__%27%2C%0A%27__LastUpdatedRelative__%27&Order=ASC&OrderBy=id&Page=1&Query=Owner%20%3D%20%27assistant%27%20AND%20Status%20%3D%20%27open%27&Rows=100";
"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0"
Other logs are of little help. Here's the relevant portion of httpd conf:
AddDefaultCharset UTF-8
DocumentRoot /opt/rt4/share/html
<Location />
Order allow,deny
Allow from all
SetHandler modperl
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /opt/rt4/sbin/rt-server
</Location>
<Perl>
use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload("/opt/rt4/sbin/rt-server");
</Perl>
Thank you in advance for any help you might be able to offer. I'd love
to know what is writing to deny.hosts.
- Sean
--------
We're hiring! http://bestpractical.com/jobs
