Hi Mike. Do you recommending enabling both:
Enable Logging Routines?
Enable Additional Logging Routines?
That’s odd about the IP address. When I did a whois lookup on the IP here:
http://cqcounter.com/whois/
it comes up with the following domain registered 13 years ago:
OrgName: Cybersource Corp.
OrgId: CYBERS-88
Address: 900 Metro Center Blvd.
City: Foster City
StateProv: CA
PostalCode: 94404
Country: US
RegDate: 2000-10-03
Updated: 2012-06-18
Ref: http://whois.arin.net/rest/org/CYBERS-88
OrgAbuseHandle: NOC1333-ARIN
OrgAbuseName: Network Operations Center
OrgAbusePhone: +1-877-847-2577
OrgAbuseEmail: network@cybersource.com
OrgAbuseRef: http://whois.arin.net/rest/poc/NOC1333-ARIN
OrgTechHandle: NOC1333-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-877-847-2577
OrgTechEmail: network@cybersource.com
OrgTechRef: http://whois.arin.net/rest/poc/NOC1333-ARIN
RNOCHandle: NOC1333-ARIN
RNOCName: Network Operations Center
RNOCPhone: +1-877-847-2577
RNOCEmail: network@cybersource.com
RNOCRef: http://whois.arin.net/rest/poc/NOC1333-ARIN
The email address listed on the whois shows
network@cybersource.com
Which matches the cybersource.com domain.
Now if you do a whois lookup for cybersource.com, the first two parts of the IP are the same, and their GEO location is “San Mateo, CA 94404”, which is the same as the first.
So, I suppose, the question is, is this truly a legitimate cybersource company, and if so, why are they trying to communicate with my website. My messages log file has thousands of references to this IP being blocked, such as:
So it’s strange that this cybersource server is trying to communicate with mine, and interesting that the firewall decides to block them:
Aug 4 19:17:43 host2 kernel: Firewall: *UDP_IN Blocked* IN=eth1 OUT= MAC=[MAC_ADDRESS_REMOVED] SRC=66.185.181.137
It looks like these deny references in my messages log were occurring in 5 minute intervals. Which coincide with WP-Cron’s default 5 minute intervals. s2member’s Authorize.Net “Automatic EOT Behavior” setting being set to on result in the site communicating with Authorize.Net’s servers every 5 minutes all the time.
Jason even chimed in when I brought this up here:
http://www.s2member.com/forums/topic/error-e00013-subscription-id-is-invalid/#post-32231
ME:
I’m getting this error constantly in the “authnet-api.log” log. It seems like it’s running this for every user, every day, even though I don’t sell subscriptions. Any ideas?
JASON:
Yes, that is correct. While these customers may not be associated with recurring fees, it’s s2Member’s job to determine this, and keep track of who is and who is not, by communicating with the Authorize.Net API. What you’re seeing in the logs is s2Member finding out that they do not have recurring fees.
If you would rather disable this functionality in s2Member, you can disable s2Member’s Automatic EOT System from your Dashboard. See: Dashboard -› s2Member® -› Authorize.Net® Options -› Automatic EOT Behavior
This being said, I recommend that you leave the EOT system enabled, and simply ignore those log entries, or simply turn off s2Member’s logging routine.
I had forgotten about this, but today’s activity brings up a few questions:
* Should I disable automatic EOT after all (since I don’t provide subscriptions or time-limited services)?
* Could the 5 minute communicate with Authorize.Net’s API be the cause of cybersource attempting to communicate with the server, and what purpose does it serve? And if it is the cause, could this activity have been deemed sufficiently suspicious by “CSF – ConfigServer” to not only block cybersource, but legitimate, live, checkout transactions?
* Are there IP addresses that I should whitelist in the firewall?
I don’t know for certain how strict CSF is operating, but since it doesn’t permanently block IP’s I’m concerned things are getting swept up or deemed suspicious when the activity is innocent and necessary for s2member to function properly. It could be a random, moving target that operates outside of the s2member app hemisphere, but results in a silent, operation conflict anyway?
Thanks.