AiProtection - Malicious Sites Blocking

[mink]

Thank you all for the help!

Could be your ISP's WAN IP that's blacklisted by them

ISP is Comcast so is that likely? These are news feeds from Protopage custom landing page that aggregaes news feeds, weather etc.
www.engadget.com is also doing this:
"Performing a TLS handshake to www.engadget.com" then get the error page
"
The connection has timed out
The server at www.engadget.com is taking too long to respond.
"
for https://www.engadget.com/rss.xml
I researched TLS handshaking issues for days (week?) tracking it down; played with FF/Chrome security settings for various TLS levels without success until finally turning off AIProtection (AIP)/Malicious Site Blocking (MSB) fixed it. I was suspecting this might relate to the recent standards change in TLS but that is way beyond my feeble skills.

if you have aiprotection turned off and its still happening, why do you think its aiprotection?

Sorry for being unclear. I ONLY have the Malicious Site Blocking (MSB) part of AIP turned on to trouble shoot the problem. With MSB off, these sites load fine. This was first step. When turning AIP off fixed the problem, I turned

• MSB ON with
  
• Two-Way IPS (IPS) OFF and
• Infected Device Prevention and Blocking (IDPB) OFF .

That reproduced issue so isolates MSB component of AIP as problem. (The real project here is bringing up a Synology DS918+ as home/home office file server and backup target for Win10pro/Acronis True Image and Xubuntu machines with periodic offsite. Hesitant to move forward if something is wrong. Ironically, ATI is working great as a local back up over NFS to both Xubuntu targets and the Synology<>G )

what browser are you using?

Now: Firefox 62.0.3 64b, and since you asked, just tested Chrome 70.0.3538.67 (Official Build) (64-bit), just updated as well as the previous version. I hit this a month ago and misconfigured my systems chasing this before realizing it was in the router, related to MSB. Tested xubuntu clients running Firefox and chrome then with same results also. Yesterday, found misconfiguration of Win10Pro client dns and fixed it. Had messed up dns which seems fixed except this problem makes me suspect something is off still. Did not help that the new RT-AC86u burned out its 2.4G radio over the weekend, new one is ready to be cut in with FW 384.7. As below, using RT-AC3100u with 384.6

what av are you using?

Current Win10pro Defender. Just tried turning it OFF and accessing the site with same result so turned back on<G>. I believe I did a few weeks ago too. Even was on with MS tech support a few hours.

Do you have skynet or any ad blockers?

uBlock Origin 1.17 tried turning off, no joy, many times. I think I uninstalled it too with no help, but can do that again, no problem<G>. Was using uMatrix, but was too cumbersome. All these issues popped up in last month when bringing up the Synology NAS and went down the rabbit hole chasing my tail. I think I had AIP completely off up until then but thought it a good idea since adding the NAS and planning to open some ports for offsite backups (likely with Backblaze B2)

If you can ping it, what ip did it resolve to?

from Win10Pro client

C:\Users\rg>ping engadget.com
Pinging engadget.com [124.108.115.87] with 32 bytes of data:
Reply from 124.108.115.87: bytes=32 time=141ms TTL=46
...
Ping statistics for 124.108.115.87:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 141ms, Maximum = 141ms, Average = 141ms
C:\Users\rg>ping huffingtonpost.com
Pinging huffingtonpost.com [98.136.103.26] with 32 bytes of data:
Reply from 98.136.103.26: bytes=32 time=30ms TTL=50
....
Ping statistics for 98.136.103.26:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 29ms, Maximum = 30ms, Average = 29ms

Next step is to telnet to it over port 80

Haven't used telnet in over a decade, then not much<G> but looked it up and did so in Win10Pro client.

C:\Users\rg>telnet huffingtonpost.com 80

gave a window with the hostname in the title bar and a blinking cursor.
Then "q" [Note: some whitespace removed to condense]:

HTTP/1.0 400 Invalid HTTP Request
Date: Thu, 18 Oct 2018 18:00:12 GMT
Server: ATS
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 220
<HTML>
      <HEAD>
            <TITLE>Bad Request</TITLE>
                                    </HEAD>
                                           <BODY BGCOLOR="white" FGCOLOR="black">
                                                               <H1>Bad Request</H1>
                                                                                     <HR>
                                                                                     <FONT FACE="Helvetica,Arial"><B>
                   Description: Could not process this request.
                                                                </B></FONT>
                                                                           <HR>
                                                                               </BODY>
Connection to host lost.

again, from Win10Pro client

C:\Users\rg>telnet www.huffingtonpost.com 80

result [Note: some whitespace removed to condense]

HTTP/1.0 501 Not Implemented
Content-Type: text/html
Content-Length: 357
Connection: close
Date: Thu, 18 Oct 2018 18:03:42 GMT
Server: ECDF (sjc/16CB)
<?xml version="1.0" encoding="iso-8859-1"?>
                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
                                                      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
                        <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
                <title>501 - Not Implemented</title>
                                                        </head>
                                                                <body>
                                                                           <h1>501 - Not Implemented</h1>
                                                                                                            </body>
                                                                                                                  </html>
Connection to host lost.

C:\Users\rg>telnet www.engadget.com 80

yielded telnet window with cursor that was unresponsive to "q" and "?"

C:\Users\rg>telnet 124.108.115.87 80

engadget.com ip, direct hostname was same without www

HTTP/1.0 400 Invalid HTTP Request
Date: Thu, 18 Oct 2018 18:24:36 GMT
Server: ATS
Cache-Control: no-store
Content-Type: text/html
Content-Language: en
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Length: 220
<HTML>
      <HEAD>
            <TITLE>Bad Request</TITLE>
                                      </HEAD>
                                           <BODY BGCOLOR="white" FGCOLOR="black">
                                                                        <H1>Bad Request</H1>
                                                                                              <HR>
                                                                               <FONT FACE="Helvetica,Arial"><B>
                   Description: Could not process this request.
                                                                </B></FONT>
                                                                           <HR>
                                                                               </BODY>
Connection to host lost.

Likely today with cut over to the replacement RT-AC86u with 384.7 but doubt that will make different here. THANKS for all the help. cheers

 

[agilani]

The telnet shows that the site is responding to port 80 http requests. All of the sites you mention are yahoo/oath/aol sites and all use the yahoo cdn.

This points to your workstation as the likely culprit. Do you have other machines that you can test from? It could be root cert or https issue with your browser.

If you have tested other clients and still have the same result, it may be an issue with ublock origin and yahoo cdn.

 

[mink]

Just tested Xubuntu 16.04 client with both Chrome and FF with same problems. Disabled uBlock did not help. I may not have a cert on the Xubuntu machine, so will have to figure out how to put one on it <G>.
On that machine, s.yimg.com which redirected to a yahoo site paused for 20 seconds BUT huff-.com did eventually load. Interestingly, I could turn off MSB but turn on IPS and still get the problem! So some component of AIP supporting the modules is part of this. With the AIP slider ON, but MSB, IPS and IDPB OFF, the sites load in a flash. That is with AV and uBlock operating. Go figure. It is just my wife and I so, running without AIP components off is not the end of the world, but obviously a little risky. I think for now will leave ON, and show her how to turn off if it blocks a course site or reference needed for classes or work. a bit frustrating. There are logs in FF I can turn on

BTW found this useful
browser testing site
Here is an article on tls from ComputerWorld
From mozilla support about tls levels

There are TLS settings prefs on the about:config page that specify the minimum and maximum TLS version.

    security.tls.version.min = 1
    security.tls.version.max = 3

1 means TLS 1.0
2 means TLS 1.1
3 means TLS 1.2 (default)
4 means TLS 1.3;

My Win10Pro FF browser seems good shape. Support TLS 1.0 - 1.3, but perhaps should block 1.0 once this is working. SSL 2.0 and 3.0 are blocked.
Not supporting TLS compression and SSL 2 handshake compatibility.
Mixed Content Tests
Images Passive Yes
CSS Active No
Scripts Active No
XMLHttpRequest Active No
WebSockets Active No
Frames Active No

On

 

[agilani]

There is more going on here than aiprotection. I have every aiprotection feature turned on and i can get to every one of the sites you mentioned just fine. What aiprotection signature is loaded? Mine is 2.092 Updated : 2018/10/13 02:24

Also if aiprotection is blocking anyting, you will see it in the aiprotection logs.

I am also using cloudflare and google dns for name resolution. But i have the clients configured to go to cloudflare and google directly without using the router for dns.

Just to elimitate the router however, backup your router config and do a complete wipe. Setup internet and try to access the sites with the most basic config and see if the problem persists.

 

[mink]

You know, I can't seem to locate where to load signature file or even how to see version!
Well, cutting in the new RT-AC86u will kind of do be a fresh start.

 

[mink]

Well don't I feel silly<G>. Cut over to the new replacement RT-AC86u on Merlin 384.7 and everything is fine! Able to turn on all the AIP modules. Will see if this lasts. People have reported gradual slow downs with TLS handshake latency over time, but previousl slow pages are blazingly fast now. Temps are good so far. Using Cloudflare's Zero Round Trip Time Resumption (0-RTT) option in Firefox, which I came across while trying to solve this and it seems to have speed things up too. I can barely see the url's in the footer of the screen as the pages load.
in firefox url: about:config

NOTE:Likely better to set MINimum to "2" for TLS 1.1, but I will do once sure everything is working.

Next will be to upgrade the RT-AC3100 FW 384.6 -> 384.7 and match up settings. I'll report here the results if the FW change seems to fix it vs a setting tweak, but might take a break. Have to laser re-collimate a 127mm APO refractor that a small human torqued at the Stanford SLAC kids night. Hopefully the diagonal rather than the focuser - but I'm looking for an reason to upgrade the diagonal anyway<G>.
Thanks for all the help, I learned some new tricks. cheers.

 

[agilani]

make sure you do complete wipe of the ac3100 after you upgrade it and i'm pretty sure it should work fine.

 

[mink]

Thanks, will be a bit. Migrating the backup shares from nfs to samba on the zfs/linux boxes. Also testing Xubuntu 18.04.1 as a VM on Win10Pro host but Win10 updates keep raining on the networking layer I'm thinking.

Actually had an update notice flash without my approval. Then with pTTY sessions to two servers, notes on my smb.conf files in process, and a bunch of firefox sites open, the network connection crashed. Checked on a Xubuntu 16.04 box which got out to web fine. After a couple reboots and a cold delayed restart everything came back. I think MS forced an update that took out the network layer, even though I've turned off auto updates, they still can be pushed through aparently. Plan to talk to MS support next week since again, can't ping local machines, which had been working until an update a few days ago. Seems a common issue on with web chatter about with the way the vNetwork driver is implemented on Win10, but beyond me. I don't see how installing a VM in VBox should have affected that and don't think it did.

If my wife did not absolutely need MSoffice for work, I some telescope and other hardware needed win, I'd avoid it. On positive note, Acronis came through yesterday, when I borked the laptop I'm rebuilding for her: pulled an image off the network to a hardisk and restored without a hitch. Took longer to copy the image onto the HD than to restore. Will use an SSD next time<G>.

cheers.

 

[Frost]

My be wrong place?

Browser Firefox (63.0.3(64-bit)) and Microsoft Edge

When I tried to open the information from Express VPN, I got the message:
“Your connection is not secure. The owner of w.w.w.expressvpn.com has configured their page improperly to protect your information from being stolen. Firefox has not connected to this website”

Microsoft Edge does not open either, and ask me to close this site at once.

AC87U Asuswrt-Merlin 384.7_2 AiProtection Win10

 

[Frost]

My be wrong place?

It is me again.

The problem was the same when I disconnected AiProtection.
The next I disconnected the router and only used my modem, and then I had no more problem with Firefox and VPN connections(the same with Edge) .

When I get this message connected to the router:
"Your connection is not secure. The owner of w.w.w.expressvpn.com has configured their page improperly to protect your information from being stolen. Firefox has not connected to this websit."

What is wrong with the router configuration?
Yes, I need a good advice.

AC87U Asuswrt-Merlin 384.7_2 AiProtection Win10

 

[Intrepid]

There's no whitelisting capability in AiProtection's Malicious Website blocking.

Whitelisting is now available in AIProtection Malicious Website blocking with the latest firmware.
Click on AIProtection, Malicious Site Blocking, click on the notepad with the pencil icon. There are three icons total - Save, Delete and Edit. Edit allows you to whitelist domains - for example: microsoft.com