firewall blocked url from 127.0.0.1

I am facing same issue a lot of continuously connections some of them being described as bot some others as human, lol with ip127.0.0.1 …

Hi @slysoft,

Take a look at this topic. It should help solve your issue.

Cheers!

Nope! Not soving!

Thanks for sending your diagnostic and opening this topic @slysoft.

If you are able, the raw access logs would help greatly in seeing if the timestamp of these 127.0.0.1 hits match up with other IP addresses from those logs. If you have cPanel, they can be obtained there: https://www.greengeeks.com/tutorials/how-to-download-raw-access-logs-in-cpanel/

As we’re currently looking into a number of cases of this occurring without settings changes etc., we may require some time to investigate common factors between the sites that are seeing this issue as other diagnostics and access logs come in.

Thanks again,
Peter.

@wfpeter I just sent to you an e-mail with the RAW Log

Thanks @slysoft,

I appreciate you sending that to assist us, and have made it available to the rest of the team looking into this. I’ll keep you updated here in this topic, although I’m not certain of precise timescales right now.

Many thanks,
Peter.

Hi again @slysoft, thank-you for providing your logs for us to take a look at.

Almost all of the hits from 127.0.0.1 appear to be probing, except for some generic hits like hitting the homepage, which may also be bots. We don’t think they’re all the same source, as there are different User-Agents involved. Some of them do have a referer using the correct domain, so it may not be an alternate domain causing the problem.

As the web server log shows the correct IP address for normal hits and shows 127.0.0.1 for hits that appear malicious, we would recommend asking your host why the site seems to be getting these requests that appear to be malicious from 127.0.0.1. You can show them the access log you sent to us as evidence to look at. The host might have more logging that will help find the issue, but they might not. To us, it looks like it could be an attacker on the same server, but when there are different User-Agents, it could still be a misconfiguration.

Let us know if you find out any more from them,
Peter.

Hi @slysoft,

Did you find out any more from your host?

Peter.

Still waiting for a response from them.

No worries @slysoft, I’ll keep this topic open. I will see your response here if you get anything from them.

Did you have a response from them regarding this @slysoft? I’m just renewing this topic as ones over 7 days without response may be closed.

Peter.

I’m asked again today. They are so lazy….
(note to myself: never buy hosting on gazduire.ro again!)
Sorry for this delay…
Thank you, Peter!

No problem @slysoft, I will keep the topic open until you have something (but may keep checking in weekly).

Peter.

Just checking back in, we’ll review again in a week. Hopefully your host are able to provide some more context to the issue soon.

They said that this problem is not related to their services, so I have to check further myself, because the problem is caused by my firewall’s bad detection on the website.