IP Banned For No Reason

New Member Joined: Dec 07, 2003 Posts: 22 Location: USA

Hello,

Not only did sentinal block an IP for no reason, the thought of me using the popups to crash someone computer who didnt deserve it really hurt. I know if I'm hurt from the thought of crashing someone computer I can only imagine how the person felt therefore, I decided to remove sentinal from my website. It's not fair to people to get banned and then torture for nothing.

The person who was banned was not hacking my site, actually they was browsing my forums user groups.

This is the message I received from sentinal....* Notice * the query string used... that's not a hack thats one of my usergroups.

Date & Time: 2004-05-29 21:32:34
Blocked IP: 193.218.115.6
User ID: Anonymous (1)
Reason: Abuse - AGENT
--------------------
User Agent: Szukacz/1.5 (robot; [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ])
Query String: [ Only registered users can see links on this board! Get registered or login! ]
Forwarded For: none
Client IP: none
Remote Address: 193.218.115.6
Remote Port: 1556
Request Method: GET
--------------------
Who-Is for IP 193.218.115.6

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: [ Only registered users can see links on this board! Get registered or login! ]

NetRange: 193.0.0.0 - 193.255.255.255
CIDR: 193.0.0.0/8
NetName: RIPE-CBLK
NetHandle: NET-193-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH03.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at [ Only registered users can see links on this board! Get registered or login! ]
RegDate: 1992-08-12
Updated: 2004-03-16

Posted: Sun May 30, 2004 6:33 am

Okay, I was told at NC that this was only a bot that I tortured and I could turn the popup of death off via admin cp. <exhale>.. a big relief. The thought of me torturing innocent people pierce my heart. I like the feature but it's not fair to innocent bystanders (surfers) to crash their computer. I know I would hate to have something like that done to me because of a search I did at their website. Oh yeah, now that I brought up the word "search" here's a question.... On my forums we discuss alot of things like marriages, etc. Sometime people use the word "union" or "commitment" when they discuss marriages. If someone does a search on my forum using the keyword "union" will they get banned?

Posted: Sun May 30, 2004 6:56 am

Okay, another question... The script didn't write the ban IP to my htaccess file. I know I have it config right as in the path to the file. Am I suppose to chmod my .htaccess to 666 or 777?

Posted: Sun May 30, 2004 7:21 am

This is from the README FILE:

(CHMOD 666) Be sure your .htaccess file
has atleast one blank line at
the end of it.

Posted: Sun May 30, 2004 7:25 am

The path to your htaccess is probably just: .htaccess

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

foxyfemfem wrote:

Okay, I was told at NC that this was only a bot that I tortured and I could turn the popup of death off via admin cp. <exhale>.. a big relief. The thought of me torturing innocent people pierce my heart. I like the feature but it's not fair to innocent bystanders (surfers) to crash their computer. I know I would hate to have something like that done to me because of a search I did at their website. Oh yeah, now that I brought up the word "search" here's a question.... On my forums we discuss alot of things like marriages, etc. Sometime people use the word "union" or "commitment" when they discuss marriages. If someone does a search on my forum using the keyword "union" will they get banned?

Of course they won't get banned Laughing

. That "trap", just as in the other security applications out there, look for specific patterns in the http protocol responses, not the functionality of the cms itself. The best thing to do is just test it on your own site. It's simple enough to unban using phpmyadmin. Then, if you discover false positives, let us know and we will see if we can fix them. BTW, v1.1 will be released shortly and it gives you much more control over each type of hack attempt as to how Sentinel(tm) responds.

Posted: Sun May 30, 2004 12:09 pm

On the banned IP, you notice it lists Abuse - AGENT as the reason. You can edit the Harvester list to as few or as many as you want blocked.

The default list comes from a site that lists known bad bots and web rippers. Some of the listed rippers are email harvesters some are graphics harvesters and some are page harvesters.

We left the default list the way it was to cover as many as possible without creating a list that would slow you site to a crawl.

I hope this help you to understand why that ip was banned and how to adapt the list to suit your needs. Removing from the list is a simple as deleting one of the strings listed and adding to the list is just as simple as adding a new line with a string in it Smile

Hangin' Around Joined: May 30, 2004 Posts: 46

Sentinel is banning IP's from all around the globe because the User-Agent is:

Mozilla/4.0 (compatible; Powermarks/3.5; Windows 95/98/2000/NT)

Using Proxomitron I set the same User-Agent and it banned me also. The keyword that Sentinel is looking at is 'Powermarks'. By changing the spelling of Powermarks by taking away letters from the end of the word, Sentinel will ban everything from Powermarks down to Powerma but won't ban "Powerm'.

The puzzeling part is that in the Harvest ban List there isn't anything close to Powermarks that I can find. I've got about 20 IP's that have been banned for that reason.

Posted: Mon May 31, 2004 9:56 am

I'm checking into this. Not sure why it's doing that since Powermarks isn't in hte harvest list.

Posted: Mon May 31, 2004 10:12 am

Here are a few of the query strings.
[ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]

Looking through the logs I've also got these banned User-Agents.

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Cox High Speed Internet Customer)

Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; ONDOWN3.2; Q312461; Cox High Speed Internet Customer)

Posted: Mon May 31, 2004 10:22 am

Goto Sentinel(tm) Configuration and look thru the Harvest List and remove the line rma. It took a minor code change for me to find what it was matching to but that is the one. I'll remove it from the next releases installer.

Posted: Mon May 31, 2004 10:29 am

Thanks alot. I removed it and will let you know how it goes. Very Happy

Posted: Tue Jun 01, 2004 6:52 am

Removing rma solved the problem. Thanks again for your great support and a great product.

Posted: Tue Jun 01, 2004 10:23 am

Captain, if your getting Cox Internet Customers banned look for custo in hte harvest list and remove it. Chat had this issue as well so the first harvest list had a couple of strings that need to be removed. I can post a sql query that will reset the list to a list with these two and a couple of others I can't remember removed.