On Wed, Nov 28, 2012 at 11:38:27AM -0800, S P wrote: > When performing certain functions in the web interface, such as > sorting a list of tickets by number or priority, a mystery process > writes the IP address of the user to hosts.deny (blocking access to > all services on the server) and after a short period of time, the > address is purged from hosts.deny and the user doing the sorting can > once again access RT. > > The IPs for these users are already present in hosts.allow (and are > obviously being ignored). Fail2ban is not installed. Denyhosts is > not installed. SELinux is disabled. We only have about 3000 tickets > in RT, and performance is great. Except when you go to sort a list > (could be 10, or 200 tickets) and you're locked out momentarily. > Additionally, OSSEC reports "A web attack returned code 200 > (success)" at the moment the IP is written to hosts.deny and apache > access log reads:
You've listed a few modules that this isn't, but RT doesn't write to hosts.deny so presumably this is some feature provided by OSSEC. I'd take it up with them first. -kevin
pgpLDpEsiawqt.pgp
Description: PGP signature
-------- We're hiring! http://bestpractical.com/jobs
