Right. It was mod_security's suspicious User-Agent rule that was triggering the firewall block.<div><br></div><div>[Mon May 13 23:27:28 2013] [error] [client 72.232.223.58] ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^w3c-|systran\\\\))" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_rules/20_asl_useragents.conf"] [line "130"] [id "330039"] [rev "4"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. "] [severity "CRITICAL"] [hostname "<a href="http://centos.hostingxtreme.com" target="_blank">centos.hostingxtreme.com</a>"] [uri "/6.3/os/i386/repodata/repomd.xml"] [unique_id "UZEpiM7eFzIAC1GSBYMAAAAL"]</div>
<div><br></div><div>This was the only IP blocked for this subdomain, so legitimate users should not be getting affected. I have disabled that rule for this subdomain.</div><div><br></div><div>As far as the slowdown is concerned, we do not have any block based on DNS / rDNS / region / location etc. In all the test tools etc, the DNS does not seem to be the problem.</div>
<div><br></div><div><div>Wait<span style="white-space:pre-wrap"> </span>83.19%<span style="white-space:pre-wrap"> </span></div><div>Connect<span style="white-space:pre-wrap"> </span>8.53%<span style="white-space:pre-wrap"> </span></div>
<div>SSL<span style="white-space:pre-wrap"> </span>6.04%<span style="white-space:pre-wrap"> </span></div><div>DNS<span style="white-space:pre-wrap"> </span>2.23%<span style="white-space:pre-wrap"> </span></div>
<div>Receive<span style="white-space:pre-wrap"> </span>0.01%<span style="white-space:pre-wrap"> </span></div><div>Send<span style="white-space:pre-wrap"> </span>0.00%</div>
</div><div><br></div><div><br></div><div>Any other suggestions welcome.</div><div><br></div><div>Ruzbeh.</div><div><br><div class="gmail_quote">On Tue, May 21, 2013 at 2:28 AM, Ralph Angenendt <span dir="ltr"><<a href="mailto:ralph.angenendt@gmail.com" target="_blank">ralph.angenendt@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On 20.05.2013 08:47, Info | HostingXtreme.com wrote:<br>
> I traced the mirror status probe server to 72.232.223.58 (US/United States/<br>
> <a href="http://58.223.232.72.static.reverse.ltdomains.com" target="_blank">58.223.232.72.static.reverse.ltdomains.com</a>)<br>
><br>
> Whitelisting this IP in the firewall has got it to show up again. Not sure<br>
> how many other Probe IPs are there.<br>
<br>
</div>That should be the only probing IP. But as it is doing http and/or ftp<br>
connects on a *public* mirror, it shouldn't be in a blacklist anyway (or<br>
firewalled), as it behaves as a normal client.<br>
<br>
It checks for the two timestamp files in the / of your mirror.<br>
<br>
Regards,<br>
<br>
Ralph<br>
<div><div><br>
_______________________________________________<br>
CentOS-mirror mailing list<br>
<a href="mailto:CentOS-mirror@centos.org" target="_blank">CentOS-mirror@centos.org</a><br>
<a href="http://lists.centos.org/mailman/listinfo/centos-mirror" target="_blank">http://lists.centos.org/mailman/listinfo/centos-mirror</a><br>
</div></div></blockquote></div><br></div>