Strange issue with deny.hosts and request tracker sorting

Hi all,
We have a really weird issue, currently running RT4.0.8 but it was also
present before we upgraded from 3.8.4 to 4.0.8 on CentOS 6.3 w/
2.6.32-279.14.1.el6.x86_64 on x86_64, Apache/2.2.15 on Xeon CPU E5607 @
2.27GHz, 4 core.

When performing certain functions in the web interface, such as sorting
a list of tickets by number or priority, a mystery process writes the IP
address of the user to hosts.deny (blocking access to all services on
the server) and after a short period of time, the address is purged from
hosts.deny and the user doing the sorting can once again access RT.

The IPs for these users are already present in hosts.allow (and are
obviously being ignored). Fail2ban is not installed. Denyhosts is not
installed. SELinux is disabled. We only have about 3000 tickets in RT,
and performance is great. Except when you go to sort a list (could be
10, or 200 tickets) and you’re locked out momentarily. Additionally,
OSSEC reports “A web attack returned code 200 (success)” at the moment
the IP is written to hosts.deny and apache access log reads:

GET
/Search/Results.html?Format=%27%20%20%20%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__id__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3A%23%27%2C%0A%27%3Cb%3E%3Ca%20href%3D%22%2FTicket%2FDisplay.html%3Fid%3D__id__%22%3E__Subject__%3C%2Fa%3E%3C%2Fb%3E%2FTITLE%3ASubject%27%2C%0A%27__QueueName__%27%2C%0A%27__Priority__%27%2C%0A%27__CreatedRelative__%27%2C%0A%27__LastUpdatedRelative__%27&Order=DESC&OrderBy=id&Page=1&Query=Owner%20%3D%20%27assistant%27%20AND%20Status%20%3D%20%27open%27&Rows=100
HTTP/1.1" 200 32147
https://rt.mydomain.org/Search/Results.html?Format=‘%20%20%20<b><a%20href%3D"%2FTicket%2FDisplay.html%3Fid%3D__id__">__id__<%2Fa><%2Fb>%2FTITLE%3A%23’%2C ‘<b><a%20href%3D"%2FTicket%2FDisplay.html%3Fid%3D__id__">__Subject__<%2Fa><%2Fb>%2FTITLE%3ASubject’%2C ‘__QueueName__’%2C ‘__Priority__’%2C ‘__CreatedRelative__’%2C ‘__LastUpdatedRelative__’&Order=ASC&OrderBy=id&Page=1&Query=Owner%20%3D%20’assistant’%20AND%20Status%20%3D%20’open’&Rows=100
“Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:16.0) Gecko/20100101 Firefox/16.0”

Other logs are of little help. Here’s the relevant portion of httpd conf:
AddDefaultCharset UTF-8
DocumentRoot /opt/rt4/share/html

Order allow,deny
Allow from all
SetHandler modperl
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /opt/rt4/sbin/rt-server


use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload(“/opt/rt4/sbin/rt-server”);

Thank you in advance for any help you might be able to offer. I’d love
to know what is writing to deny.hosts.

  • Sean

When performing certain functions in the web interface, such as
sorting a list of tickets by number or priority, a mystery process
writes the IP address of the user to hosts.deny (blocking access to
all services on the server) and after a short period of time, the
address is purged from hosts.deny and the user doing the sorting can
once again access RT.

The IPs for these users are already present in hosts.allow (and are
obviously being ignored). Fail2ban is not installed. Denyhosts is
not installed. SELinux is disabled. We only have about 3000 tickets
in RT, and performance is great. Except when you go to sort a list
(could be 10, or 200 tickets) and you’re locked out momentarily.
Additionally, OSSEC reports “A web attack returned code 200
(success)” at the moment the IP is written to hosts.deny and apache
access log reads:

You’ve listed a few modules that this isn’t, but RT doesn’t write to
hosts.deny so presumably this is some feature provided by OSSEC. I’d
take it up with them first.

-kevin