ip blacklisted for nothing

[Jane]

Hello,
Without a fast and gentle solution I will leave HostICan.

My site access is limited to 500 visitors with the same htaccess pwd. During two days 100 users using the proxy of their firm reached no more my site. It was difficult to find the reason of such a problem due to the HostICan support which was saying that the problem came from the private proxy. In reality it was established that the problem came from HostICan which blacklists any IP number causing 15 errors in the htaccess pwd procedure.

How can HostICan create such a stiff rule ? How can you do that without telling it to the webmaster ? How can you blacklist an IP number without time limit ? I have lost many users...

I think that the limit had to be more important before blacklisting and a time limit of 15 minutes sufficient to stop any dictionnary attack.

Don't ask me to use a php login procedure: I cannot change every page of my site to protect it against direct access. Please, don't ask me to change to vps for just 500 users.

My english is not fluent so I cannot explain better my mind and my deception in front of a HostICan behaviour which could be considered as a little arrogant.

J.

[lnxcode]

Quote:

Originally Posted by Jane

Hello,
Without a fast and gentle solution I will leave HostICan.

My site access is limited to 500 visitors with the same htaccess pwd. During two days 100 users using the proxy of their firm reached no more my site. It was difficult to find the reason of such a problem due to the HostICan support which was saying that the problem came from the private proxy. In reality it was established that the problem came from HostICan which blacklists any IP number causing 15 errors in the htaccess pwd procedure.

How can HostICan create such a stiff rule ? How can you do that without telling it to the webmaster ? How can you blacklist an IP number without time limit ? I have lost many users...

I think that the limit had to be more important before blacklisting and a time limit of 15 minutes sufficient to stop any dictionnary attack.

Don't ask me to use a php login procedure: I cannot change every page of my site to protect it against direct access. Please, don't ask me to change to vps for just 500 users.

My english is not fluent so I cannot explain better my mind and my deception in front of a HostICan behaviour which could be considered as a little arrogant.

J.

J,

Thanks for your post.

Please let me know why someone would input a password incorrectly more then 15 times? - Can you explain this?

Why are all your users going via a proxy site using the same IP? Most proxy servers that are configured have at least 4 different IP's.

We're not arrogant, these policies are there for the protection of our servers and service. Basically what you're describing more then 15 times is known as "Brute Force" attacks, and so we treat it like a "Brute Force" attack.

[Jane]

Quote:

Originally Posted by lnxcode

J,
Please let me know why someone would input a password incorrectly more then 15 times? - Can you explain this?

Why are all your users going via a proxy site using the same IP? Most proxy servers that are configured have at least 4 different IP's.

We're not arrogant, these policies are there for the protection of our servers and service. Basically what you're describing more then 15 times is known as "Brute Force" attacks, and so we treat it like a "Brute Force" attack.

Thank you for your answer, Inxcode.

When you change the main distributed password to 500 users many use the old one many times. You can write what you want to the users, you will obtain statiscally more than 15 errors in particular if the users are not informaticians.

The firm uses only one proxy and that cannot be changed by me or anyone but the boss (not reachable to talk about internet).

When my users fail 15 times, it is not brute force attack, it is a human false behaviour.

With a 15 times test, you give to everybody the opportunity to make deny of service in blocking a whole domain without effort.

Brute force attack has no chance with a 50 times error test and a 15 minutes standby between each attack. The attacker may test only 1'000'000 words in 200 days (1000000 / 50*15min), what is not enough for succeeding in brute force attack.

Your choice seems to be - excuse me the term - a little paranoid.

What is more problematic: my users will not write to the webmaster to let him know the problem because 1- they cannot access the site to contact the webmaster 2-users rarely take time to complain. If a site doesn't answer more than 3 times, they forget it and I loose them. This makes a heavy consequence: I will never know that another domain is blacklisted because you don't give me any tool to know which ip is blacklisted.

Please, reconsider your philosophy in regard of the human behaviour too, not only in a theorical/technical point of vue.

[lnxcode]

Quote:

Originally Posted by Jane

Thank you for your answer, Inxcode.

When you change the main distributed password to 500 users many use the old one many times. You can write what you want to the users, you will obtain statiscally more than 15 errors in particular if the users are not informaticians.

The firm uses only one proxy and that cannot be changed by me or anyone but the boss (not reachable to talk about internet).

When my users fail 15 times, it is not brute force attack, it is a human false behaviour.

With a 15 times test, you give to everybody the opportunity to make deny of service in blocking a whole domain without effort.

Brute force attack has no chance with a 50 times error test and a 15 minutes standby between each attack. The attacker may test only 1'000'000 words in 200 days (1000000 / 50*15min), what is not enough for succeeding in brute force attack.

Your choice seems to be - excuse me the term - a little paranoid.

What is more problematic: my users will not write to the webmaster to let him know the problem because 1- they cannot access the site to contact the webmaster 2-users rarely take time to complain. If a site doesn't answer more than 3 times, they forget it and I loose them. This makes a heavy consequence: I will never know that another domain is blacklisted because you don't give me any tool to know which ip is blacklisted.

Please, reconsider your philosophy in regard of the human behaviour too, not only in a theorical/technical point of vue.

Thanks for your reply.

Normally people don't all come from the same IP, thats what the core problem is. Not that I'm pointing fingers. However, you guys really should check into why you have only 1 IP with that many users.

For example, I worked in an office that had 3000 staff members, and they forced all of us to use their "office proxy server" but every time we would hit it, it would route it out of a different IP address ( I think they gave it a whole 254 IP address's).

Anyways, what you're asking is 50 people to be wrong with their password more then 15 times? - Normally what happens is ... hey this user / password doesn't work... Gee let me stop trying? - Some people will just try it 50 times just to see how many times they can retry.

The very reason why your site hasn't been hacked or defaced is due to security features just like this one. I think you're starting to expect a little too much out of a simple shared hosting account.... to be honest. Its not meant to serve 500 people with login issues.

[Scott]

1 person with badly configured FTP software can trigger 20 failed login attempts within a minute. Jane, you'll have to ensure that everyone has their FTP software set to only try once when a bad password is used.

Additionally, with 500 users, you really need to speak with the system administrator to allow your proxy more outbound IP addresses to use. Otherwise, you'll experience this with many of the major web hosting companies out there.

Otherwise, yes, for this type of corporate environment with 500 people, I can't understand why you can't upgrade to a dedicated server (or even VPS) to configure this on your own?

[Jane]

Thank you for your replies.

Inxcode you don't understand my point of vue, surely because of my bad english. You wrote:"Anyways, what you're asking is 50 people to be wrong with their password more then 15 times? - Normally what happens is ... hey this user / password doesn't work... Gee let me stop trying? - Some people will just try it 50 times just to see how many times they can retry."

I am trying to explain that 100 users have the same IP number because of the proxy server. It is not one user who will fail 50 times but a lot of users who will fail 3 or 4 times. It is human behaviour in circumstances where HostICan thinks coz the same IP that it is the same user.

It would be easy to limit the time of the blacklisting too.

The ftp wasn't the prob becoz nobody use it but me.
My web pages are made for an association which has no money to put in a dedicated server.

Really, I find your rule very technocratic. Think different. I have asked to others good hosting providers. They don't apply such a rule.

You give me no solution. So I have to leave HostICan though I was satisfied for everything else. Sorry.

Regards.
J.

[lnxcode]

Quote:

Originally Posted by Jane

Thank you for your replies.

Inxcode you don't understand my point of vue, surely because of my bad english. You wrote:"Anyways, what you're asking is 50 people to be wrong with their password more then 15 times? - Normally what happens is ... hey this user / password doesn't work... Gee let me stop trying? - Some people will just try it 50 times just to see how many times they can retry."

I am trying to explain that 100 users have the same IP number because of the proxy server. It is not one user who will fail 50 times but a lot of users who will fail 3 or 4 times. It is human behaviour in circumstances where HostICan thinks coz the same IP that it is the same user.

It would be easy to limit the time of the blacklisting too.

The ftp wasn't the prob becoz nobody use it but me.
My web pages are made for an association which has no money to put in a dedicated server.

Really, I find your rule very technocratic. Think different. I have asked to others good hosting providers. They don't apply such a rule.

You give me no solution. So I have to leave HostICan though I was satisfied for everything else. Sorry.

Regards.
J.

This isn't about being rude or arrogant. This is about keeping our customers protected and secure. We can't change / bend our rules in order to fit one user out of a whole server.

There are many other providers out there, on this point you are right. However, not all of them have the stability and superior support that HostICan has.

If you are leaving, I wish you the best of luck.

[Jane]

Just a last question Denis: can you garanty that a VPS would let us stop the blacklisting problem ?
Regards,
Jane

[lnxcode]

Quote:

Originally Posted by Jane

Just a last question Denis: can you garanty that a VPS would let us stop the blacklisting problem ?
Regards,
Jane

Thank you for your post.

I can guarantee that it would resolve this problem. Yes, it would resolve this issue.

[skybluecanvas]

Denis,

I too am having the problem described in this thread. I could not remember the password I created on one of my sub-directories. I don't know how many times I tried. I have a few username/password combos for several of my domains and apparently tried more than 15 times. Now, I cannot access any of my own sites (about 10) on my own domain.

How do I get my IP address removed from the blacklist? I agree with Jane, this is an extremely restrictive rule. The irony is that the blacklist only blocks requests over HTTP but I can still access the same server via FTP.

Scott