|
Customer Service Kiosk -- Questions for LE vendors. |
2010-03-01, 10:47pm
|
|
Cat Lady
|
|
Join Date: Dec 11, 2007
Location: Seattle, WA
Posts: 152
|
|
Hi camelothosting, your report says that you blocked my laptop because it pinged port 500. That's the standard port that Windows machines use to initiate To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts. connections. It's not a threat, it's a query to see whether a Web site supports a more secure type of connection. If a site supports IPSec connections, Windows will go with that for maximum security. If not, Windows will stick with the standard http or https connection.
You advised me to block port 500 on my software firewall, but I can't do that or else I would not be able to connect to my work network. I believe your firewall is interpreting the Windows IPSec protocol negotiation as a threat. Could you look into whether you can de-sensitize the firewall so that it doesn't react to IPSec queries? I agree that if you receive inbound probes on many ports you should block the client for port scanning. A single ping on a security connection port should not trigger the block though.
Thanks,
Kerry
|
2010-03-01, 11:17pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
Yes we know what port 500 is for, and the fact that we run almost exclusively e-commerce sites we will not open any port that does not need to be open.
Yes the firewall is seeing the ping as an attack because its pinging not once but a minimum of 5 times before you are getting a temp block.
I only grabbed one line from the report, I apologize for not stating that in my reply.
If it only pinged once or twice then it would not be an issue.
|
2010-03-01, 11:29pm
|
|
Cat Lady
|
|
Join Date: Dec 11, 2007
Location: Seattle, WA
Posts: 152
|
|
Interesting, it was after 5 clicks on Flamedame's site that I saw the block. Windows must be sending out one IPSec negotiation request per click.
Since you're not implementing IPSec you're doing the right thing by not opening port 500. However, your firewall is blocking many Windows computers that are not infected with malware. Can you modify it so that it doesn't trigger a block unless someone pings a port (other than 80, the standard HTML port) more than once a second? That would catch pretty much every exploit I've ever seen in the wild, as malware typically scans ports quickly and repeatedly. Regular, nonthreatening behavior like clicking on a new page every few seconds would not trigger the block then.
-- K
|
2010-03-01, 11:38pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
I am using a windows PC and have never been blocked for this,
Honestly your the first one I remember getting hit on port 500....
As to the speed of exploits, Yes they are usually fast however there are a few that are actually going slow to get around the clicks per second
|
2010-03-01, 11:57pm
|
|
Cat Lady
|
|
Join Date: Dec 11, 2007
Location: Seattle, WA
Posts: 152
|
|
Many other customers on Lampwork Etc. have been denied from shopping at sites that use Camelot Hosting. It's been an issue for a long time and this thread is the most recent manifestation.
Have you tested extensively with Windows 7? Have you investigated the logs of the other people in this thread who have been denied?
|
2010-03-02, 12:03am
|
|
Senior Member
|
|
Join Date: Jun 11, 2005
Location: SUNNY FLORIDA~West Coast!
Posts: 9,423
|
|
I have not heard of other people being blocked and we have not had a problem until now. eta And just 2 people are blocked.
__________________
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
Still North America's Largest Lauscha Dealer!
Now reopened in South Florida!!
Like US on Facebook ! To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-02, 6:18am
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
Yes I use windows 7 ( 64 bit at that )
The other issues that I have seen are not port scanning they are usually mod sec rules that happen to a few sites and we are working on finding whats triggering them, since we can demonstrate that its not a "Server" Issue we are looking into Code issues.
Once again if the ping to port 500 happened only once wouldnt be an issue.
You sated in your very good description above that it tries it and if it cant find it it reverts back to standard connections....
The question then becomes why is your setup not reverting, why is it pinging on every page hit?
We are willing to work to resolve any issues however there needs to be troubleshooting on both sides.
|
2010-03-02, 12:19pm
|
|
Cat Lady
|
|
Join Date: Dec 11, 2007
Location: Seattle, WA
Posts: 152
|
|
The best information I can get says that Windows re-checks for IPSec support every time a new connection is created with a site (i.e. by a user clicking a link). It's regularly checking for IPSec support in case it becomes available midsession. This is apparently standard behavior for Windows computers that are running IPSec. You would not want to open port 500, but a ping to it every 1-2 seconds is not necessarily due to a threat.
Some more information that would help me troubleshoot whether there is anything wrong on my side:
1) Is port 500 the only port you saw my computer probing?
2) How frequent were the ~5 hits on port 500 and on any other ports I scanned?
|
2010-03-02, 12:37pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
you were caught scanning port 500 6 times before you were booted
there were 2 at each of the following
Mar 1 23:25:17
Mar 1 23:25:37
Mar 1 23:25:39
Once again you are the ONLY person that is having THIS issue as I said before most are not port scans but mod sec rules that we are still trying to iron out
If this was a typical issue then no windows users would be able to view any of our servers.
I have tested this in windows XP Vista ( 32 and 64 bit ) and widows 7 in 32 and 64 bit with no issues. ( I removed my Ip from the white list before my tests so that wouldnt have been a factor ) I believe Mike may have been on to something in the ticket he replied to about your settings being different due to the VPN connection that you are using.
|
2010-03-02, 1:53pm
|
|
Mad about Glass
|
|
Join Date: Nov 29, 2005
Location: Sydney, Australia
Posts: 1,052
|
|
Kerry is not the only person having this issue - I started the thread. As I had no idea at the time whether the message from Camelot Hosting was genuine I contacted the vendors from whose sites I was blocked.
I'm glad to see that you are investigating the issue. However, you should be able to provide access for customers who have accounts with vendors rather than suggesting that the customer is to blame.
I have just now contacted Camelot-Hosting Support with the details.
__________________
Jenn
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts. [url]
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-02, 2:04pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
If you look back through my posts we are in fact trying to fix the issue,
and we are NOT blaming the issue on anyone.
I see you put in a ticket can you tell me when you were blocked since we do not have a record of the WHY
I will unblock from flamedames site rignt now and if you get blocked again then please update your ticket and we can tehn see what your issue is
|
2010-03-02, 2:17pm
|
|
Senior Member
|
|
Join Date: Jun 11, 2005
Location: SUNNY FLORIDA~West Coast!
Posts: 9,423
|
|
Jenn I think your issue might be different than Kerri's. And I did send on your info to them already.
__________________
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
Still North America's Largest Lauscha Dealer!
Now reopened in South Florida!!
Like US on Facebook ! To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-02, 3:19pm
|
|
Mad about Glass
|
|
Join Date: Nov 29, 2005
Location: Sydney, Australia
Posts: 1,052
|
|
Thanks Paula. I contacted Camelot today and their response was immediate - the problem with Frantz seems to be solved -I managed to place an order.
I still getted blocked from your site as soon as I try to open a product link which then reinstates the block on Frantz so I guess I will have to wait a bit longer to spend some money at Flamedame.
__________________
Jenn
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts. [url]
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-03, 2:23am
|
|
Cat Lady
|
|
Join Date: Dec 11, 2007
Location: Seattle, WA
Posts: 152
|
|
Hi, Camelothosting, I'm not connecting to any sites hosted on your servers via a VPN. I have connected from multiple physical locations, including my home network, work network, and networks at friends' houses. This has happened with different Windows computers (never my Macs or Linux machines). All of these Windows computers have a few things in common, though, including running Microsoft Forefront anti-malware software. I wonder if some program that is part of my work network's standard security suite is triggering this issue?
In any case, I am not the only person who has run into this problem. A couple of other people on this forum have reported it to Camelot Hosting support. Most people give up quickly because they don't get past the initial rebuff. If I weren't working in computer security, I would not have had the familiarity to dig in further either.
I would like to help find the root cause of the issue and to help implement any client-side changes which might be necessary. I have a few questions about the server-side activity that Camelot Hosting has see, which might help to diagnose the issue:
1) Am I the only client that you see scanning port 500, and which is subsequently blocked for port scanning? If I'm the only one, I'd love to know as that would indicate I need to look more closely at my Windows machines.
2) Is my client scanning ports other than 500?
3) What is the frequency of scans you see from my clients against all ports?
This is not an issue with all Windows computers, but it is an issue that happens frequently. Several people have posted on this forum about not being able to access sites hosted by Cametot Hosting. I've also heard anecdotal reports of similar problems at nearby classes and lampworking meetings. This is preventing more people from accessing Frantz and Flamedame than might immediately be apparent.
I would like to help figure out the root cause of this issue, which does not occur for me on sites hosted anywhere else and which is unlikely to be the result of a security compromise on any of my Windows computers which have been extensively scanned for malware.
-- K
|
2010-03-03, 6:41am
|
|
Cats & Glass!
|
|
Join Date: Jul 15, 2005
Location: Chelsea, AL
Posts: 1,648
|
|
I would like to thank the users for opening up this dialog and Camelot for joining in. As some of you know, I am the webmaster for several sites on Camelot. You can blame me for the choice of this host in a lot of cases. Camelot specializes in hosting ZenCart and as such, they are the most security minded and communicative web host I've ever used. They have a great reputation despite these recent issues and I know that Tony and Mike are working hard on this. We have talked on numerous occasions but without this kind of feedback, it's hard to fix any type of software problems.
Thanks again - I'll keep working with Camelot and the sites at which you may have problems and never hesitate to contact me (although I do publicly apologize that I wasn't able to get Carol S the help that she needed). I've been very frustrated by the situation but it seems like we might find some resolution.
Janelle
__________________
Janelle Zorko Schultz
Pigeon Point Glass
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
Ebay - To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts. Etsy - To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts. Blog - To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-03, 12:28pm
|
|
The Queen of Sofa King
|
|
Join Date: Nov 10, 2005
Location: State of flux
Posts: 1,079
|
|
Quote:
I would like to thank the users for opening up this dialog and Camelot for joining in. As some of you know, I am the webmaster for several sites on Camelot. You can blame me for the choice of this host in a lot of cases. Camelot specializes in hosting ZenCart and as such, they are the most security minded and communicative web host I've ever used. They have a great reputation despite these recent issues and I know that Tony and Mike are working hard on this. We have talked on numerous occasions but without this kind of feedback, it's hard to fix any type of software problems.
Thanks again - I'll keep working with Camelot and the sites at which you may have problems and never hesitate to contact me (although I do publicly apologize that I wasn't able to get Carol S the help that she needed). I've been very frustrated by the situation but it seems like we might find some resolution.
Janelle
|
Janelle, please don't think I was upset with you - you are a sweetheart and really willing to help. From my understanding, you took it as far as you could. It is a totally frustrating situation for all involved and now that I have contacted Camelot directly, Mike and his staff have been very responsive.
__________________
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-03, 1:32pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
Quote:
Hi, Camelothosting, I'm not connecting to any sites hosted on your servers via a VPN. I have connected from multiple physical locations, including my home network, work network, and networks at friends' houses. This has happened with different Windows computers (never my Macs or Linux machines). All of these Windows computers have a few things in common, though, including running Microsoft Forefront anti-malware software. I wonder if some program that is part of my work network's standard security suite is triggering this issue?
In any case, I am not the only person who has run into this problem. A couple of other people on this forum have reported it to Camelot Hosting support. Most people give up quickly because they don't get past the initial rebuff. If I weren't working in computer security, I would not have had the familiarity to dig in further either.
I would like to help find the root cause of the issue and to help implement any client-side changes which might be necessary. I have a few questions about the server-side activity that Camelot Hosting has see, which might help to diagnose the issue:
1) Am I the only client that you see scanning port 500, and which is subsequently blocked for port scanning? If I'm the only one, I'd love to know as that would indicate I need to look more closely at my Windows machines.
2) Is my client scanning ports other than 500?
3) What is the frequency of scans you see from my clients against all ports?
This is not an issue with all Windows computers, but it is an issue that happens frequently. Several people have posted on this forum about not being able to access sites hosted by Cametot Hosting. I've also heard anecdotal reports of similar problems at nearby classes and lampworking meetings. This is preventing more people from accessing Frantz and Flamedame than might immediately be apparent.
I would like to help figure out the root cause of this issue, which does not occur for me on sites hosted anywhere else and which is unlikely to be the result of a security compromise on any of my Windows computers which have been extensively scanned for malware.
-- K
|
As I replied earlier you are in fact the only person having issues with port 500 scanning,
No your not scanning any ports besides 500
and Im going to say this kinda blunt this time
YOURS IS THE ONLY ONE WITH PORT 500 ISSUES....
I have tested ( as I explained to you yesterday ) with multiple versions of windows ( XP Vista 32 and 64 bit as well as windows 7 32 and 64 bit ) and have NOT been able to produce this port 500 issue,
The only thing we have been able to come up with is that there is an issue with your firewall or PC that is trying to connect to port 500 more than is required. the time stamps that I showed you yesterday show that you were attempting to connect top port 500 2 x a second on 3 diff occasions
and once again the issues that others here are having are NOT the same as yours,
|
2010-03-03, 1:46pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
Ok time to ask a totally seperate but relevant question
Other than Khammil.
Has anyone ever actually been blocked while they were in frantz? or did you go there after visiting another site and just got the blocked page to start.
|
2010-03-03, 2:04pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
On a separate note can any who were locked out at flamedame hit this link and click around, To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.
|
2010-03-03, 3:30pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
Ok to let people know we are working on a tweak that will solve the users having mod security issues ( thats just about everyone thats had issues with these sites )
|
2010-03-03, 4:38pm
|
|
Mad about Glass
|
|
Join Date: Nov 29, 2005
Location: Sydney, Australia
Posts: 1,052
|
|
Clicked on the flamedame link above with the following result:
Your connection to this server has been blocked in the firewall.
You need to contact Camelot-Hosting Support with the following IP address.
Your blocked IP address is ......
Addressing the other questions:
I was first blocked while using Frantz website
I was then blocked while using Flamedame site
Regained access to the Frantz site and managed to place an order but have since been blocked again from both sites after accessing the Flamedame site.
I hope this sequence of events is of some help.
__________________
Jenn
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts. [url]
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-03, 6:42pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
Yes this is very helpful,
I will need you to send me your IP again so we can unblock you and have you test again we are sure that we have the issue at franz and flame dame taken care of
|
2010-03-03, 7:32pm
|
|
Senior Member
|
|
Join Date: Jun 11, 2005
Location: SUNNY FLORIDA~West Coast!
Posts: 9,423
|
|
Quote:
On a separate note can any who were locked out at flamedame hit this link and click around, To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.
|
I just clicked it and all I got was Google...
__________________
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
Still North America's Largest Lauscha Dealer!
Now reopened in South Florida!!
Like US on Facebook ! To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-03, 7:33pm
|
|
Senior Member
|
|
Join Date: Jun 11, 2005
Location: SUNNY FLORIDA~West Coast!
Posts: 9,423
|
|
Jenn if you wanted to buy things that were on sale last week just let me know. After he fixes the bug. Paula
__________________
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
Still North America's Largest Lauscha Dealer!
Now reopened in South Florida!!
Like US on Facebook ! To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-03, 9:07pm
|
Junior Member
|
|
Join Date: Mar 01, 2010
Posts: 16
|
|
I removed the test site, Looks like we have your site and frantz all taken care of.
|
2010-03-03, 9:47pm
|
|
Senior Member
|
|
Join Date: Jun 11, 2005
Location: SUNNY FLORIDA~West Coast!
Posts: 9,423
|
|
Yay!!! Thanks Mike!!
__________________
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
Still North America's Largest Lauscha Dealer!
Now reopened in South Florida!!
Like US on Facebook ! To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
2010-03-04, 9:47pm
|
Senior Member
|
|
Join Date: Sep 06, 2005
Location: Shelton Washtington
Posts: 3,256
|
|
Thank You
Quote:
I removed the test site, Looks like we have your site and frantz all taken care of.
|
Thank You Very Much To view links or images in this forum your post count must be 1 or greater. You currently have 0 posts.
mike frantz
__________________
Mike's Email: To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
Frantz Art Glass Website: To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
The Torch Website: To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
Mike's phone: 800.839.6712 ext 206
|
2010-03-04, 10:31pm
|
|
Mad about Glass
|
|
Join Date: Nov 29, 2005
Location: Sydney, Australia
Posts: 1,052
|
|
Thanks everyone. Everything is working fine again for me on both sites.
__________________
Jenn
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts. [url]
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
To view links or images in signatures your post count must be 5 or greater. You currently have 0 posts.
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -7. The time now is 2:20pm.
|