ASL 4 web interface issues
ASL 4 web interface issues
We are currently in the process of testing ASL 4 on some of our boxes.
We have seen a couple of issues in the ASL web:
1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.
2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.
3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.
4. Accidently clicked the [+] icon after a TLD, apparently this directly attempts to geoblock the whole country and reloads the firewall (please add an "are you sure" to these icons).
5. The functionality for adding a geoblock contains a bug, it inserts a lot of deny from 0.0.0.0 firewall rules, effectively blocking EVERY incoming connection.
We have seen a couple of issues in the ASL web:
1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.
2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.
3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.
4. Accidently clicked the [+] icon after a TLD, apparently this directly attempts to geoblock the whole country and reloads the firewall (please add an "are you sure" to these icons).
5. The functionality for adding a geoblock contains a bug, it inserts a lot of deny from 0.0.0.0 firewall rules, effectively blocking EVERY incoming connection.
Lemonbit Internet Dedicated Server Management
Re: ASL 4 web interface issues
So far, I've experienced two issues with the latest version of ASL...
1. While using the web interface, when I click the False Positive button a new window opens up and I just see a "Cancel" button in the middle of the window. There's no indication as to whether or not the false positive report was actually sent.
2. The other issue was with Geo-Blocking. I apparently had too many countries being blocked and it slowed my system down to a grinding halt. With 3.2 I had no issues with blocking almost every country other than a small handful. Something changed with how that works, because as soon as I upgraded my server load shot through the roof and the rules updates would take almost 2 hours to complete. I cleared out my geo-block list and everything cleared up immediately.
Everything else appears to be working quite well. I love some of the new capabilities! Well done ASL!
1. While using the web interface, when I click the False Positive button a new window opens up and I just see a "Cancel" button in the middle of the window. There's no indication as to whether or not the false positive report was actually sent.
2. The other issue was with Geo-Blocking. I apparently had too many countries being blocked and it slowed my system down to a grinding halt. With 3.2 I had no issues with blocking almost every country other than a small handful. Something changed with how that works, because as soon as I upgraded my server load shot through the roof and the rules updates would take almost 2 hours to complete. I cleared out my geo-block list and everything cleared up immediately.
Everything else appears to be working quite well. I love some of the new capabilities! Well done ASL!
Re: ASL 4 web interface issues
prupert:
1) /var/asl/bin/aum -uf
2) /var/asl/bin/asl -s -f
If that does not resolve, please open a support case.
spaceout:
run:1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.
2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.
3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.
1) /var/asl/bin/aum -uf
2) /var/asl/bin/asl -s -f
If that does not resolve, please open a support case.
On the way.4. Accidently clicked the [+] icon after a TLD, apparently this directly attempts to geoblock the whole country and reloads the firewall (please add an "are you sure" to these icons).
Not reproducing it here, was there a particular country or countries you got this on?5. The functionality for adding a geoblock contains a bug, it inserts a lot of deny from 0.0.0.0 firewall rules, effectively blocking EVERY incoming connection.
spaceout:
Was there a particular rule id this happened with, or any?1. While using the web interface, when I click the False Positive button a new window opens up and I just see a "Cancel" button in the middle of the window. There's no indication as to whether or not the false positive report was actually sent.
We are looking into some options with this.2. The other issue was with Geo-Blocking. I apparently had too many countries being blocked and it slowed my system down to a grinding halt. With 3.2 I had no issues with blocking almost every country other than a small handful. Something changed with how that works, because as soon as I upgraded my server load shot through the roof and the rules updates would take almost 2 hours to complete. I cleared out my geo-block list and everything cleared up immediately.
Re: ASL 4 web interface issues
Ran the commands, no help unfortunately, will open a support case.jgodwin wrote:prupert:run:1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.
2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.
3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.
1) /var/asl/bin/aum -uf
2) /var/asl/bin/asl -s -f
If that does not resolve, please open a support case.
Lemonbit Internet Dedicated Server Management
Re: ASL 4 web interface issues
Netherlands, the country code was nljgodwin wrote:Not reproducing it here, was there a particular country or countries you got this on?5. The functionality for adding a geoblock contains a bug, it inserts a lot of deny from 0.0.0.0 firewall rules, effectively blocking EVERY incoming connection.
What 'iptables -L -n' showed when logged in through the console was for every IP block a DENY <ipblock> and on the next line a DENY 0.0.0.0 iptables rule.
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL 4 web interface issues
Thats definitely not on any of the country lists (plus any address like that is fail safe-ed on our end before we send them out). Are you sure it was from the geoip lists and not from one of the third party RBLs, or asnt manually added to a blacklist (I have seen 0.0.0.0 added accidentally to a customer created blacklist)?
If you wouldnt mind opening a case, you'd be happy to look at your system to see where this is coming from.
If you wouldnt mind opening a case, you'd be happy to look at your system to see where this is coming from.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ASL 4 web interface issues
Ok, I think what you are seeing here is just a particularity of the way iptables -L -n displays its output. These are from geoblocking .nl:
iptables-save will show the actual rule definitions, and iptables-save | grep "0.0.0.0" will return empty.
[root@localhost src]# iptables -L -n | grep 95.142.72.16
ASL-GEO-BLACKLIST-LOG all -- 0.0.0.0/0 95.142.72.16/28
ASL-GEO-BLACKLIST-LOG all -- 95.142.72.16/28 0.0.0.0/0
-L -n will display 0.0.0.0/0 for the source of the first rule and the destination of the second, as neither of them have both source and destination explicitly stated. There aren't actually any rules being defined that would block all traffic from or to all ip addresses.[root@localhost src]# iptables-save | grep 95.142.72.16
-A ASL-GEO-BLACKLIST -d 95.142.72.16/28 -j ASL-GEO-BLACKLIST-LOG
-A ASL-GEO-BLACKLIST -s 95.142.72.16/28 -j ASL-GEO-BLACKLIST-LOG
iptables-save will show the actual rule definitions, and iptables-save | grep "0.0.0.0" will return empty.
Re: ASL 4 web interface issues
I do face this problems as well in ASL 4.0.4-15. Was this solved? Thanks
We have seen a couple of issues in the ASL web:
We have seen a couple of issues in the ASL web:
- 1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.
2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.
3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.
Re: ASL 4 web interface issues
If it is not corrected by running ' /var/asl/bin/aum -uf ', please open a case in the support portal.
The issue will be with the creation of triggers in the database, but cause and solution can vary.
The issue will be with the creation of triggers in the database, but cause and solution can vary.
Re: ASL 4 web interface issues
aum -uf did not solve it. I'm planning to move to another server so I will review if its necessary to open a case now. new server will be a complete new install so this upgrade error should not show up. if it's taking too long until I can setup it up I will open a new case. thanks