0

I've been wallbashing my head on this problem for a couple of days and I'm totally out of ideas.
We are moving our site to a new host.
Our site works BOTH in local AND on the old host.
No changes made to the code, but the new host bans our IP after a few refreshes.
No errors seem to be given by PHP/Apache.
Eventually, we could get these few lines of log from our new host:

    [Mon Jun 17 07:46:45 2013] [error] [client 79.1.74.166] ModSecurity: Access denied with code 404 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"] [line "56"] [id "340206"] [msg "Warning - Sticky SessionID Data Changed - IP Address Mismatch."] [hostname "194.28.116.82"] [uri "/~aquaelit/serie.php"] [unique_id "Ub6ixcIcdFIAAGgWchQAAAAO"]
[Mon Jun 17 07:46:45 2013] [error] [client 79.1.74.166] ModSecurity: Access denied with code 404 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"] [line "56"] [id "340206"] [msg "Warning - Sticky SessionID Data Changed - IP Address Mismatch."] [hostname "194.28.116.82"] [uri "/~aquaelit/cms/prodotti/index.php"] [unique_id 
"Ub6ixcIcdFIAAFgPg3MAAAAD"]
[Mon Jun 17 07:46:48 2013] [error] [client 79.1.74.166] ModSecurity: Access denied with code 404 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"] [line "56"] [id "340206"] [msg "Warning - Sticky SessionID Data Changed - IP Address Mismatch."] [hostname "194.28.116.82"] [uri "/~aquaelit/cms/prodotti/sys_cpanel/images/bottombody.jpg"] [unique_id "Ub6iyMIcdFIAAHqUzh4AAAAA"]
[Mon Jun 17 07:46:48 2013] [error] [client 79.1.74.166] ModSecurity: Access denied with code 404 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"] [line "56"] [id "340206"] [msg "Warning - Sticky SessionID Data Changed - IP Address Mismatch."] [hostname "194.28.116.82"] [uri "/~aquaelit/sys_cpanel/images/bottombody.jpg"] [unique_id "Ub6iyMIcdFIAABEoS14AAAAH"]
[Mon Jun 17 07:46:50 2013] [error] [client 79.1.74.166] ModSecurity: Access denied with code 404 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" required. [file "/usr/local/apache/conf/modsec_rules/70_asl_csrf_experimental.conf"] [line "56"] [id "340206"] [msg "Warning - Sticky SessionID Data Changed - IP Address Mismatch."] [hostname "194.28.116.82"] [uri "/favicon.ico"] [unique_id "Ub6iysIcdFIAABEnSQoAAAAG"]

As far as I've understood, it looks like our IP changes during a session. Well this simply cannot be, so I'm asking if any of you has an idea about what's going on.
My web search so far have been pointless and we feel lucky when we receive a mail from support once a day, se before we change host again, I'm asking here.
Thanks in advance.

Alan Piralla
  • 1,216
  • 2
  • 11
  • 21
  • Have you tried accessing the website from another network/IP? –  Jun 17 '13 at 13:01
  • Sure, and it works for like 4-5 refreshes than the new IP gets banned as well. We have a dynamic IP so we can restart the modem to change it, but we can't sell the work to our client as long as this problem remains. – Alan Piralla Jun 17 '13 at 13:06
  • 1
    Very interesting. Have you confirmed that your IP is not changing during the session by checking your external IP before and after a "ban"? It's highly unlikely, but better to ask the easy questions now than to spend hours trying to troubleshoot problems that don't exist. –  Jun 17 '13 at 13:11
  • 100% sure, tried from different PCs, different IPs and different zones as well. I wonder if that can be due to the link we've been given to access the site, which is http://173.198.255.195/~aquaelit/ since that's our host's IP shared for different sites. – Alan Piralla Jun 17 '13 at 13:16
  • 1
    It's not the URL. The "/~aquaelit" part basically says "read the files in the /~aquaelit directory found on the server at this IP", so the fact that it's an IP doesn't matter (unless your hosting company is doing something weird). Anyway, I've poked around on the site a little, and I can't get it to block me. I tried using the same PHP session IDs in my browser and a proxy at the same time, I've tried using new session IDs, and it's not doing anything to me. Have you tried clearing your cookies/sessions/cache or using a new browser? –  Jun 17 '13 at 13:33
  • Yes, as I said we've accessed the site from different PCs as well, and from home too. We all end up banned eventually. About the link used to access the site, I was referring to this discussion I randomly found: http://www.webhostingtalk.com/showthread.php?t=1249975 – Alan Piralla Jun 17 '13 at 13:37
  • Or, the problem could be when we access the CMS that plays with session variables. Try if it blocks you once you get there: http://173.198.255.195/~aquaelit/cms and just fail a couple of accesses with admin/password. – Alan Piralla Jun 17 '13 at 13:40
  • 1
    Yeah. I saw that discussion as well. I tried unsuccessfully logging on about 7 or 8 times, and after it said I was blocked, I just got a new Session ID and I was back at 0 failed attempts. I'd assume it's something wrong with Mod Security, but I can't know for sure without seeing your code. Does your website set sessions? –  Jun 17 '13 at 13:46
  • The most impressive fact is that you're not banned yet. Yes several session variables are set to deal with language etc. I'm still out of hints. – Alan Piralla Jun 17 '13 at 13:51
  • 1
    I'd assume that it's Mod Security because of this related [blog post](https://secure.jwall.org/blog/2009/01/08/1231374852674.html) I found. I'd assume it's something involving your hosting company unless the session data is being set within your website and banned using Mod Security within your website (which I highly doubt). If your hosting company can't resolve the issue, you should probably move to another hosting service. –  Jun 17 '13 at 13:53
  • Thank you for your help so far, I'll come back to this discussion if I get any new info. – Alan Piralla Jun 17 '13 at 13:55
  • Please do. I've seen this exact question be asked a few other places across the Internet, and none of them have any resolution. –  Jun 17 '13 at 13:56
  • Something happened during last night, possibly on server side. We are no longer being banned today. We've already tested from different machines again. No feedback from sysadmin so far, so we have no clues about what happened. My speculation is that they were comparing our IP against a cached one which caused the conflict. I'm going to update again should we receive any answer to our latest mails. – Alan Piralla Jun 18 '13 at 06:30
  • 1
    We've been banned again several times today. After the first ban we decided to move to a new host. We did nothing but downloading the files back to our server from theirs, and we keep being banned. That's pretty clear now that it's an issue on server side, something related to their security rules but they don't answer our mails so we move away. – Alan Piralla Jun 18 '13 at 12:59

0 Answers0