Logging issue

[737simpilot]

It seems logging isn't working. I see this in the reports_log

Report log: OK
Date/Time: 2023-11-12T22:01:39-07:00
IP address: 45.137.203.64
Comments: User agent cited by various attack tools, rootkits, backdoors, webshells, and malware detected.

Report log: Failed
Date/Time: 2023-11-12T22:01:40-07:00
IP address: 45.137.203.64
Comments: User agent cited by various attack tools, rootkits, backdoors, webshells, and malware detected.

Report log: Failed
Date/Time: 2023-11-12T22:01:40-07:00
IP address: 45.137.203.64
Comments: User agent cited by various attack tools, rootkits, backdoors, webshells, and malware detected.

And that continues on for more than 700 lines. Really ticks me off this has happened because I block well over 300 ASNs in Cloudflare and of all times something sneaks in it had to be this bull crap VPS. I have been blocking one cloud provider after another in Cloudflare. With all the ASNs I block it's next to impossible to ge through with a VPN or VPS, but on a very rare occasion it happens and today it happens and the logging doesn't work or the blocking. I have CIDRAM configured with three hits and you're out. Apparently that didn't work.

[737simpilot]

Okay, I blocked myself for testing and I do see a logfile generated like it's supposed to. That IP of 45.137.203.64 never created a logfile just a reports file but I do see it was banned in IP tracking with a value of 430,000 which is probably what you have coded there. However, in the reports for my test block it reads:

Report log: Failed
Date/Time: 2023-11-13T12:36:07-07:00
IP address: 45.137.203.64
Comments: Automated report (2023-11-12T22:01:42-07:00). User agent cited by various attack tools, rootkits, backdoors, webshells, and malware detected.

Which is really odd because that is not my IP address. The logfile does show my correct IP address though.

So it looks like reports is failing. This is the first time I noticed it because I simply don't look at reports, only the logfile. And since I saw this reports file weighed in at 28K with no logfile I knew something was up. That IP being reported though looks like it's false.

This is what I see in tracking since I cleared everything out the other day so this is fresh.

I'm thinking the 192.xxx.xxx.xxx IP did it and the 45.xxx.xxx.xxx is a red herring. So something internal is going on.

[Maikuolan]

Sounds similar to the problem I encountered at #498. While the immediate effects of the problem were easy enough to undo in a few minutes, and the problem never seemed to reoccur again after that first occurrence.. I never did manage to get the bottom of what was actually causing the problem in the first place. :-/

[Maikuolan]

Whether there's legitimately an actual problem somewhere in some part (or parts) of CIDRAM's logging mechanisms, or whether it ultimately ends up the case that said mechanisms are perfectly fine and ends up instead being something I can simply blame on hardware and/or server limitations, or whether there's something else entirely going on, I might need to find some help in diagnosing the problem to get to the bottom of it properly, I think. In the meanwhile, I'll look over the code again and have another go at it, but yeah.. I don't currently have any good ideas about it.

[737simpilot]

Yeah, very interesting. Really interesting in that the blocked IP that did correctly get blocked is not the same as the one in the reports log. Never the less, it seems like that IP was triggered to be logged by the real offending IP. Maybe it has something to do with X-forward-for or the Cloudflare equivalent due to using a reverse proxy? Maybe that temporally goofed? In issue #498 are those websites you maintain using a reverse proxy like Cloudflare et al? Any kind of X-forwarded-for type of mechanism? It's a thought.

Because I now have a high speed fiber connection, I'm thinking about hosting one of my very dead SEO websites at home for the "nerding out" aspect and if I do it'd be interesting to see if there's any difference between the logging and functionality between my host and my own hosting at home with CIDRAM. I've only deployed a LAMP stack once to see if I could do it in VMware, but I'm not an expert so I may cheat and use XAMPP which I know is not recommend for live websites, but I know how to button it down as best as I can while only allowing Cloudflare IPs to hit my forwarded port at home to the computer that will host the website. If it's not a Cloudflare IP it's rejected on the spot. At least on the layer 2 level... I think it's layer 2... LOL https://developers.cloudflare.com/fundamentals/concepts/network-layers/