Odd problem accessing this site

[RevLogos]

Last Tuesday evening, from home, I lost access to this site. I got timeout messages. I tried pinging which also timed out. I have 3 computers on my home net, and none of them could access this site, even though they have different OS.

Then I tried connecting a PC directly to the cable modem, bypassing the router. Success! This narrows it down to the router.

I tried flushing the DNS, a hard reset, upgrading the firmware, checking all settings, etc. but no luck.

So, I pulled the router and installed a backup router. Success again! All is well. (The first router is a Linksys WRT54GS, the second a WRT54GL).

That is, it worked for one day at least. Then this router did the same thing. Of the sites I visit, only this site was not accessible. No response to a ping.

I also tried adjusting the MTU size from 1500, 1492 and on down, but no luck there. did the same things as I did before, no luck.

So I broke down and bought another router. It is working, for now, (which is why I can post this) but I would still like to figure out what is happening.

Some have suggested it is a problem with the MTU negotiation but changing the size didn't work.

My question is, is there anything that changed on the server side, on or about last Monday 6/28 that might confuse a router?

[bdh]

I used to have a different ISP and they did a thing which caused endless problems for me. I would get an IP like any normal user but they would also advertise their proxy IP in the HTTP headers. Message boards would go bananas and I would often be logged [or banned in one case] out for no reason. There was a reason of course -- my IP would change mid session.

Not saying it's what is happening to you but it's worth a look. Go to http://software77.net/geo-ip/ -> "Full Details" and see how many IP addresses are being reported. (You should only have a "REMOTE_ADDRESS" and nothing else).

[RevLogos]

No, only one IP address.

I am having the same problem again with the new router.

Also, I discovered that on 2 occasions, this site was blocked after accessing it through one particular laptop PC on my LAN.

It is as if this site (74.81.88.114) was blocking my IP address. Is this possible? Are there any conditions where this IP could block other incoming IP's? Could the laptop have sent something this site didn't like?

[bdh]

Very possible. Besides a firewall that examines every packet it's also integrated into some other custom software that looks for things like XSS and remote shell and bot scripts and a whole bunch of other stuff. I'm looking up your IP now but If I don't find anytihng, I'll need to know what it is when you actually have the problem.

[IMINXTC]

Out of curiosity, Rev...you said in another post you were cable and I was wondering if this is DSL, or in other words, do you have a modem that can be hard-reset (complete factory reset).

I really believe a hard reset, first for the modem, then whatever router, (which I believe you already tried) will do it, from past experience. Your modem has an issue which will keep popping up no matter what router.

PS: And of course, clear all cookies before attempting to log in.

Warning: I'm usually wrong.

[bdh]

Think I found something. One of your previous IP addresses was 70.162.X.X:

Code:

[Sun Jul 04 01:17:08 2010] [error] [client 70.162.X.X] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "david.tld0.net"] [uri "/"] [unique_id "TC-hFEpRWHIAADBfHigAAAAD"]

According to a thread on another tech forum it states:

This rule would be used for PCI validation of the server.

It would block the track/trace methods that exist and get flagged when you have a PCI check done

[RevLogos]

Very possible. Besides a firewall that examines every packet it's also integrated into some other custom software that looks for things like XSS and remote shell and bot scripts and a whole bunch of other stuff. I'm looking up your IP now but If I don't find anytihng, I'll need to know what it is when you actually have the problem.

Thanks. The IP I was using that I cannot connect with is 68.96.63.8.

[RevLogos]

Think I found something. One of your previous IP addresses was 70.162.X.X:

Code:

[Sun Jul 04 01:17:08 2010] [error] [client 70.162.X.X] ModSecurity: Access denied with code 501 (phase 2). Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "41"] [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "david.tld0.net"] [uri "/"] [unique_id "TC-hFEpRWHIAADBfHigAAAAD"]

According to a thread on another tech forum it states:

Well at least this might be the explanation. What does this error 501 mean in English?

[bdh]

Not so much the 501 error but the reason for the error. According to cPanel, it says:

Looks like someone is trying to make requests on your server other than the methods permitted by your mod_sec ruleset (GET, POST, HEAD, OPTIONS) and mod_sec is blocking that request. Usually this is someone who is trying to use the TRACE method to get unauthorized information from the server such as cookie data.

I've temporarily disabled two of the rules. Let's see if that helps.

What browser are yo using? Have you tried a different browser?

[RevLogos]

Not so much the 501 error but the reason for the error. According to cPanel, it says:

I've temporarily disabled two of the rules. Let's see if that helps.

What browser are yo using? Have you tried a different browser?

I have run a complete virus/spyware scan, and uninstalled and reinstalled FireFox on the laptop that caused this problem. I didn't find any issues. However, that laptop has an option enabled on its anti-virus, that plugs into the browser, that the other PCs don't have. So I am suspecting the ZoneAlarm web browsing security feature. It is claimed to do the following:

• Anti-phishing – Warns you and blocks fraudulent "phishing" websites that trick you into revealing personal data. Advanced heuristics detect brand new phishing sites created seconds ago that standard anti-phishing security misses.
• Spy-site Blocking – Warns you and blocks web sites that are known to distribute spyware.
• Site Authentication – One-click tells you when a site was registered, where, and if it is known to be dangerous.

Perhaps it was sending an unexpected query. I have disabled this feature too.

I would like to test it tonight. Is it possible for you to unblock 68.96.63.8?