Sucuri Firewall Issues

Harry

New member
Today morning I tried to read a thread in the forums and was denied by the firewall

Your IP:17.114.160.181
URL:forums.aeromir.com/threads/risk%20reversals%20-%3E%20butterflies.393/
Your Browser:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Block ID:EVA079
Block reason:An attempt to evade and bypass security filters was detected.
Time:Fri Aug 10 13:32:25 2018Server ID:16017


To report a problem to them, I need to create an account with Sucuri. I do not want to do that without verifying what is going on and if I really need to do this. I was able to login to forums from my office network but I do not want to do that everyday.

I am not making any attempt to evade firewalls etc., I do have ghostery extension but I have had that for over a year. Also when I am authenticated and confirmed as a valid user, why should any firewall try to stop me.
Please check and advise.
 

Harry

New member
Just now facing even funnier situation:
I can open this thread, I can open the thread on Raleigh Durham, but when I try to open the risk reversal thread ... that fails with Sucuri firewall issue. I will log out , remove cookies and retry but I thought I will pass it on just in case it helps.
 

Harry

New member
Reset browser completely. Still the same issue: can access this thread, but can not access "risk reversal butterflies" thread which is the same one if you notice above in my first post. So the firewall is somehow restricting only that page for me.
 

JackW

New member
That's exactly what I get. A walk around is to go the forum and check the newest thread, click on the risk reversal thread, and no problems getting in.
 

status1

Member
I don't have this problem
That is certainly a weird situation
Have you tried Explorer if you are using Firefox ? Just to rule out the browser
Do you get the same error whether you are signed in or not ?
Just thinking how would the firewall know who is trying to access the website if you are not signed in
 

Harry

New member
1. I am not using Firefox. I am using Chrome
2. Tried in Firefox without logging in. Same issue :(
3. Firewalls usually work based on IP, and in this case looks like URL also. So the URL https://forums.aeromir.com/threads/risk reversals -> butterflies.393/ is the one that seems hosed, for multiple people.
4. They usually ban genuine spammers etc., but sometimes (or many a times) the internet service provider will recycle IPs so I end up with a spammer IP and then I am hosed until I get a new IP lease (but it is likely at the router level and not my computer).
5. But again for it to fail from my work network + fail for multiple people ... seems like some configuration could be tuned.
 

status1

Member
I understand what you are saying but how do you explain the fact that it works on other threads but not on the risk reversal ?
Is the risk reversal on a different server that is configured differently ?
Can the firewall be set up so that it can block certain IP addresses based on which thread you want to access ?
That is the strange part for me

I just discovered something that may or may not be the problem
I right clicked on your link that you provided and I got the same firewall error even though I never had the problem before
The link seems to be identical but I just happened to copy it to a word document and there seems to be some differences

This is the normal link
https://forums.aeromir.com/threads/risk-reversals-butterflies.393/
and this is your link that I copied and pasted into a word document
https://forums.aeromir.com/threads/risk reversals -> butterflies.393/

As you can see there are some extra characters that you normally don't see when it is in the address bar
I am thinking those extra characters are causing the problem

I am suspecting some encoding issues only because recently I was having some extra characters in my email messages and It turned out that if I set the encoding to unicode the extra character goes away The extra characters would only show up if I had more than one space between letters

I am not sure how this can be fixed on the website or on your pc
I think maybe it's the +> characters in the thread that are causing the problem since the other threads don't have that
 

status1

Member
I was able to verify it
I used your link that was not working and deleted the "->" characters from the link and it's working now
Hopefully that will work for you too
 

Harry

New member
I am not typing links to get to threads. I am clicking on the website.
Once again, I am not adding or removing characters, I am just clicking on the website.
As someone above said: clicking on link from 1 place works, another place does not.
How does firewall get into the picture, I dunno.
 

Harry

New member
Go to my.aeromir.com ==> Recent Forum Activity ==> (within that block) ==> click on "risk reversal -> butterflies" ... FAILS
This URL points to forums.aeromir.com/threads/risk reversal -> butterflies.393
1534026493399.png

Now go to https://forums.aeromir.com/ => Under Category Main => Under Category General Discussion => thread risk reversal -> butterflies => WORKS
The URL points to forums.aeromir.com/posts/1372/
1534026421338.png
 

status1

Member
I am not saying that you are typing in the links The characters are already there from the title of the poster
I just noticed that if you remove those characters the link works

I know you had a problem with viewing the posts using the recent link and Tom found a bug and fixed it but maybe there is still another bug that needs to be fixed
He said something about XenForo 2.x and XenForo 1.5.x so I am guessing maybe the firewall is different between the two of them

I never used the recent link
I just saved the forum page to my desktop so when I click on it it takes me to the forums directly and than I just click on what's new
That's why I never saw the problem
 

tom

Administrator
Staff member
The firewall is the same. The Sucuri Web Firewall. The sucuri firewall is supposed to defend against people trying to access the admin stuff from non-whitelisted IP addresses. I think it also has filters for bots and some other perceived attacks. It could be that the links I'm generating failed due to a weird character in the forum title. I'll investigate.
 

status1

Member
It could be that the links I'm generating failed due to a weird character in the forum title
I think that's exactly what is happening and specifically with the recent link
Normally if you look at both links here or on the address bar you don't see much of a difference except for the dash and arrow
but if you copy and paste into a word document you will see a big difference where the bad link has a bunch of extra characters
URL:forums.aeromir.com/threads/risk%20reversals%20-%3E%20butterflies.393/ like in Harry's first post
 

tom

Administrator
Staff member
The links have to be url encoded so a space character is encoded to %20

I will see if I can get the links correct.
 
Top