After updating the security system from 1.8.1 to 1.8.2 the infusion reported an increasing number of attacks. Now that would be okay if that site would draw a lot of hackers. But it's a low traffic site so having over 500 attacks in a few weeks looks strange. Specially if it had less than 20 attacks in six months before the update.
So I thought there was something wrong with the infusion. In order to resolve the problem, I defused the security system and infused it again.
From that moment on I had two security systems in the infusion panel. Both would ask me to agree to the license.
I defused the infusion again and removed the infusion from the infusion folder (both security system and security panel).
I still had one security system in the infusions panel.
I had to remove the security infusion link in the Fusion_admin table manually.
After that I uploaded the security system infusion again and infused it.
Now it looks to be okay.
Could it be that the defuse function for the security system doesn't work properly? Or was this a one-time error?
Well, that was part of the reason to defuse the security system...
When I noticed the increasing number of attacks that were blocked, I checked the security system logs. There were only the 10 hack attacks logged that were logged before the update. No new attacks. So I guessed that there was something wrong with the security system, or with the way it infused.
So, I have no examples of the "ghost" attacks...
Don't get me wrong. I believe the security system is working fine now. I just wondered if the defuse function didn't do the job as it should.Bearbeitet von am 27.04.2008 21:16
I think I spoke too soon, saying that there was no problem...
The front page panel states that I had 27 attacks blocked. That is 23 new attacks in one day.
So I checked the Security System overview page. It states that 25 hack attacks were blocked, one blocked by filterlist and one proxy registration.
Then I viewed the log file. There it stated that there was one blocked by filterlist, 2 hack attempts and one proxy registration.
My question now is what is correct? 27 attempts according to the front page panel or just 2 hack attempts according to the log file?
I attached screenshots from the overview page and from the view log page.
If the same attack is coming from the same ip in one hour, so the secsys write the attack only in the statistics but not in the logs.
It's better for the database.
In the development for the security system is a new logwriting mod.
I hope this answer help you do understand the log entries and statistics on the frontpage.
Startseite
Eingetragen am 27.04.2008 12:35
