If your IP address was blocked when trying to access your website, DirectAdmin, or webmail, the page takes a long time to respond, and eventually, you will see a time-out error. This is probably due to your IP address being blocked by the firewall.

PICTURE

A firewall is a security system that operates as a filter, allowing the server to block unwanted or dangerous access. Some events, such as numerous login attempts with wrong credentials, activate the firewall rules, and, consequently, the IP address gets blocked.

Let’s see how to figure out if your IP address has been blocked, what the main causes that activate the blocks are, and what to do if your IP address has been blocked.

Incorrect username or password

If repeated login attempts are made with the wrong credentials in a short time, the system temporarily blocks the IP address.

This system is used to mitigate brute-force attacks or attempts to discover the password using combinations of different characters until the correct one is found.

The most common reasons why you may have your IP address blocked due to credential issues are:

• Repeated attempts to access the admin area of your website (for example the WordPress backend) with the wrong username and password combination.
• Repeated attempts to access DirectAdmin with the wrong user credentials.
• Repeated attempts to access Webmail with the wrong combination of email address and password.
• Repeated attempts to access your email accounts (using for example: Outlook or Thunderbird) with the wrong user credentials.
• Repeated attempts to access your FTP accounts (using for example: Filezilla or WinSCP) with the wrong user credentials.
• additional mobile devices set to auto-login using expired credentials.

ModSecurity

With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure.

ModSecurity is a web application firewall that is deployed to establish an external security layer that increases the protection level, detects and prevents attacks before they reach web-based software programs.

Most common errors

The most common page error triggered by a ModSecurity rule on our shared - and reseller webhosting servers is '403 Forbidden error' (see picture below). You may also receive '404 Not Found' or '500 Internal Server Error' errors, but this is less common.

PICTURE

Usage

The module is configured to protect web applications from various attacks. ModSecurity supports flexible rule engine to perform both simple and complex operations. It comes with a Core Rule Set (CRS) which has various rules for:

• cross website scripting
• bad user agents
• SQL injection
• trojans
• session hijacking
• other exploits

ModSecurity works in the background, and every page request is being checked against various rules to filter out those requests which seem malicious. These can be the ones that have been run to exploit vulnerabilities in your website software with the only goal to hack the site.

Sometimes, due to poor website coding, ModSecurity may incorrectly determine that a certain request is malicious, while it is actually legitimate. When it happens, you will see a 403 error onscreen.

If you do run into an issue with false positives triggered by ModSecurity, you have the ability to white-list the offending rule on the server. This must be done by checking the php.log for your domain, finding the appropriate rule number and disabling it in DirectAdmin > ModSecurity. It is also possible to disable ModSecurity for a specific domain name, but you should understand the implications if ModSecurity protection is removed.

NOTE: If you have trouble disabling the offending ModSecurity rule, please do not hesitate and get in touch!

When to contact us

If ModSecurity rules are triggered too often on your website, the corresponding IP address (the one those requests are sent from) will be blocked by the server firewall. This will result in your DirectAdmin account being completely unavailable from this IP address.

NOTE: Resellers have the ability to remove IP addresses from the firewall by themselves. Simply login to DirectAdmin, head to Configserver Firewall and enter the IP in question.

Use of incorrect ports

• Use of incorrect ports for FTP
  See this article for additional information.
• Use of incorrect ports for e-mail
  See this article for additional information.
• Use of old control panel ports
  A problem that occasionally occurs with new users is that the user expects to find the control panel to their service on port xxxx or xxxx for cPanel or port xxxx for Plesk. DirectAdmin, the control panel that Woktron utilizes, communicates on port 2222 exclusively.