Port flood from Squarespace whenever I login to squarespace
Hello. I hope everyone is happy and safe.
I use squarespace for a couple of domain registrations and have my dns setup on my cpanel server. Whenever I login to squarespace for maintenance simultaneously I will recieve the following port flood warnings from CSF:
300 + entries of:
tcp: 8.41.xxx.xx:30561 -> xx.xx.xxx.xxx:443 (TIME_WAIT)
This only happens when I login into squarespace. My domains and dns are working properly. I am NOT loging into squarespace from my server.
I find it odd this should happen when I login into square space to perform maintenance.
Unless I whitelist the squarespace ip address (which I've done), domain services won't do their job:
Clues?
-
Maybe its best to contact SquaresSpace about this?
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!* Open a ticket
EmergencySupport - Professional Server Management and One-time Services0 -
Yes indeed - I was just reading the Better Business Bureau reports on SquareSpace. Lots of issues. I'm going to move away from them. No support. Would be good to know what other dns services peeps here use here and their experience with them. I'm finished with SquareSpace.
0 -
I guess what I'm looking for before I escalate this is where in WHM would the detailed logs be for this error message? Currently it's being sent to me as a login failure message from CSF but I know the details of the error must be in some log file. I searched the log files /var/log/ but no joy. I've searched the log files in /usr/local/cpanel/logs but also no joy.
0 -
If all of the IP addresses are connecting to poart 443 then I would expect you to find then in one of the Apache logs, most likely /etc/apache2/logs/access_log.
Does CSF say what service it is trying to log into? That would be the most helpful clue for determining the log file.
0 -
Ok some clues: When I access the /var/log/apache2/domlogs there are calls to the website I'm working on in SquareSpace. They have a tiny small image of the website in the gui in square space to click on in their control panel to open the dns settings, which produces this error in /var/log/apache2/domlogs:
8.41.221.55 - - [20/Nov/2024:09:11:15 -0500] "GET /?screenshotCacheBust=1732111876163 HTTP/1.1" 301 265 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/131.0.0.0 Safari/537.36"
Then after that above error, according to logs in this domains access_log, squarespace is simply issuing calls that would be normal when accessing the website in real life.
But it doesn't seem to be getting access and csf sees this as a login-attack, it seems.
Category: abuse
Report-Type: login-attack
Service: port-flood
User-Agent: csf
Date: 2024-11-19T14:42:30-0500
Source: 8.41.221.55
Source-Type: ipv4
Attachment: text/plain
Schema-URL: https://download.configserver.com/abuse_login-attack_0.2.jsonThousands of these:
tcp: 8.41.221.55:11262 -> xx.xx.xx.xx443 (TIME_WAIT)
I have a report into Square space but they are abysmal. Truly out to lunch.
0 -
There is no error.
In CSF there is setting CT_LIMIT
"Connection Tracking. This option enables tracking of all connections from IP
addresses to the server. If the total number of connections is greater than
this value then the offending IP address is blocked. This can be used to help
prevent some types of DOS attack."
also you apparently have CSF setting X_ARF = On0 -
Thank you quietFinn - but wouldn't I then get these reports when other users access my other sites?
And shouldn't X_ARF be on? I believe that's the default setting so that reports are actually sent.
But I'll disable the X_ARF and see if that stops this from squarespace anyway.
0 -
CT_LIMIT counts only connections from an IP address to the server, it has nothing to do with the accounts.
I believe the default for X_ARF = Off, I have never had it On.
0 -
I'll try that an report back - sounds like a plan. Thanks!
0 -
So here's what's happening. Making X_ARF = Off stopped the alert from csf, but running csf -t (show me recent blocks in cpanel) shows the below responsse. It's the most recent one triggered by my most recent visit 10 minutes ago, login to squarespace and clicking on a domain to work on it:
DENY 8.41.221.55 * inout 23h 58m 5s lfd - (mod_security) mod_security (id:949110) triggered by 8.41.221.55 (US/United States/-/-/-/[AS53831 SQUARESPACE]): 3
Am I right in assuming at this point it's a mod_security issue?
0
Please sign in to leave a comment.
Comments
10 comments