We have run into an issue where members on our site are being assigned a permanent block on their IP by our firewall due to having too many open connections. They are issued a temp block first, and then issued a permanent block as it keeps happening. Our hosting company advised the blocks are likely being put in place due to over aggressive mod_security rules. Below is the output from an ip that has been blocked:

---
Apr 21 08:38:13 host lfd[27906]: (CT) IP 97.88.35.126 (US/United States/97-88-35-126.dhcp.roch.mn.charter.com) found to have 55 connections - *Blocked in csf* for 1800 secs [CT_LIMIT]
Apr 21 10:06:15 host lfd[28605]: (CT) IP 97.88.35.126 (US/United States/97-88-35-126.dhcp.roch.mn.charter.com) found to have 61 connections - *Blocked in csf* for 1800 secs [CT_LIMIT]
Apr 22 20:21:30 host lfd[12019]: (CT) IP 97.88.35.126 (US/United States/97-88-35-126.dhcp.roch.mn.charter.com) found to have 55 connections - *Blocked in csf* for 1800 secs [CT_LIMIT]
---

Can someone provide some suggestions on how to resolve this issue?
Be the first person to like this.
Donna(data66)
My server support handles all of mod_sec issues. They tweak it to work well for my sites. Can your host tweak mod_sec?
Be the first person to like this.
Web Application Firewalls huh? well, okay...
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecConnEngine

I don't personally use mod_security or mod_suhosin ... however you should be able to switch the connection engine rule to "detect only" and it will not interfere with users due to connection limits.

Is there a common thread for the users that do run into this? 50 connections seems a bit over the top, even for a web browser. Mozilla based browsers used to have a connection limit of 20. You could change that (increase/decrease) if needed, but few do/did.
I would be curious to find out if those are IE users primarily, or what browser was used.

To find out, search for the IP Addresses mentioned in the log, but in your webserver access log (traffic log?). The User-Agent string should be logged, along with the specific URI/URL that was fetched, along with an HTTP status code.
Be the first person to like this.
You seem to be using csf/lfd. You can change the firewall settings for CT_LIMIT.

If you are using cpanel, login to WHM and you can see this under the plugins tab, near last item on the left sidebar menu.

Click on "ConfigServer Firewall", then select "Firewall Configuration".

From the configuration file look for CT_LIMIT

Remove the values.
Be the first person to like this.
If you are using shared hosting then its time to get at least a VPS.
Be the first person to like this.