Skip to main content

Port flood from Squarespace whenever I login to squarespace

Comments

10 comments

  • Andrew

    Maybe its best to contact SquaresSpace about this?

    Andrew N. - cPanel Plesk VMWare Certified Professional
    Do you need immediate assistance? 20 minutes response time!* Open a ticket
    EmergencySupport - Professional Server Management and One-time Services

    0
  • jeffschips

    Yes indeed - I was just reading the Better Business Bureau reports on SquareSpace.  Lots of issues.  I'm going to move away from them.  No support.  Would be good to know what other dns services peeps here use here and their experience with them.  I'm finished with SquareSpace.

    0
  • jeffschips

    I guess what I'm looking for before I escalate this is where in WHM would the detailed logs be for this error message? Currently it's being sent to me as a login failure message from CSF but I know the details of the error must be in some log file.  I searched the log files /var/log/ but no joy.  I've searched the log files in /usr/local/cpanel/logs but also no joy.

    0
  • cPRex Jurassic Moderator

    If all of the IP addresses are connecting to poart 443 then I would expect you to find then in one of the Apache logs, most likely /etc/apache2/logs/access_log.

    Does CSF say what service it is trying to log into?  That would be the most helpful clue for determining the log file.

    0
  • jeffschips

    Ok some clues:  When I access the /var/log/apache2/domlogs there are calls to the website I'm working on in SquareSpace.  They have a tiny small image of the website in the gui in square space to click on in their control panel to open the dns settings, which produces this error in /var/log/apache2/domlogs:

    8.41.221.55 - - [20/Nov/2024:09:11:15 -0500] "GET /?screenshotCacheBust=1732111876163 HTTP/1.1" 301 265 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/131.0.0.0 Safari/537.36"

    Then after that above error, according to logs in this domains access_log, squarespace is simply issuing calls that would be normal when accessing the website in real life.

    But it doesn't seem to be getting access and csf sees this as a login-attack, it seems.

    Category: abuse
    Report-Type: login-attack
    Service: port-flood
    User-Agent: csf
    Date: 2024-11-19T14:42:30-0500
    Source: 8.41.221.55
    Source-Type: ipv4
    Attachment: text/plain
    Schema-URL: https://download.configserver.com/abuse_login-attack_0.2.json

    Thousands of these:

    tcp: 8.41.221.55:11262 -> xx.xx.xx.xx443 (TIME_WAIT)

    I have a report into Square space but they are abysmal.  Truly out to lunch.

     

    0
  • quietFinn

    There is no error.

    In CSF there is setting CT_LIMIT
    "Connection Tracking. This option enables tracking of all connections from IP
    addresses to the server. If the total number of connections is greater than
    this value then the offending IP address is blocked. This can be used to help
    prevent some types of DOS attack."

    also you apparently have CSF setting X_ARF = On

     

    0
  • jeffschips

    Thank you quietFinn - but wouldn't I then get these reports when other users access my other sites?

    And shouldn't X_ARF be on?  I believe that's the default setting so that reports are actually sent.

    But I'll disable the X_ARF and see if that stops this from squarespace anyway.

    0
  • quietFinn

    CT_LIMIT counts only connections from an IP address to the server, it has nothing to do with the accounts.

    I believe the default for X_ARF = Off, I have never had it On.

     

    0
  • jeffschips

    I'll try that an report back - sounds like a plan.  Thanks!

    0
  • jeffschips

    So here's what's happening. Making X_ARF = Off stopped the alert from csf, but running csf -t (show me recent blocks in cpanel) shows the below responsse.  It's the most recent one triggered by my most recent visit 10 minutes ago, login to squarespace and clicking on a domain to work on it:

    DENY  8.41.221.55  *    inout 23h 58m 5s       lfd - (mod_security) mod_security (id:949110) triggered by 8.41.221.55 (US/United States/-/-/-/[AS53831 SQUARESPACE]): 3

    Am I right in assuming at this point it's a mod_security issue?

    0

Please sign in to leave a comment.