[rt-users] strange issue with deny.hosts and request tracker sorting

Kevin Falcone falcone at bestpractical.com
Thu Nov 29 12:08:41 EST 2012

On Wed, Nov 28, 2012 at 11:38:27AM -0800, S P wrote:
> When performing certain functions in the web interface, such as
> sorting a list of tickets by number or priority, a mystery process
> writes the IP address of the user to hosts.deny (blocking access to
> all services on the server) and after a short period of time, the
> address is purged from hosts.deny and the user doing the sorting can
> once again access RT.
> The IPs for these users are already present in hosts.allow (and are
> obviously being ignored). Fail2ban is not installed. Denyhosts is
> not installed. SELinux is disabled. We only have about 3000 tickets
> in RT, and performance is great. Except when you go to sort a list
> (could be 10, or 200 tickets) and you're locked out momentarily.
> Additionally, OSSEC reports "A web attack returned code 200
> (success)" at the moment the IP is written to hosts.deny and apache
> access log reads:

You've listed a few modules that this isn't, but RT doesn't write to
hosts.deny so presumably this is some feature provided by OSSEC.  I'd
take it up with them first.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20121129/d99ef5a2/attachment.sig>

More information about the rt-users mailing list