Attack Detected - Blocked because of an intrusion attack

Question

Hello, today I added a subdomain to my server. An nginx proxy is running in the background and I’m passing data from an API. I prepared everything and did ssl authentication with certbot. However, when I tried to access my site, I got the “Blocked because of an intrusion attack” warning. I searched for a solution to the problem but couldn’t find it. I am using Ubuntu droplet. In several forums they said that the source of this error is the provider (Digital Ocean). How can I solve this problem? The error screenshot is below.

Blocked because of an intrusion attack

Your computer has been blocked because an intrusion attack originating from your system was detected. For more information, contact the system administrator.

https://i.ibb.co/qYpvdgZ/Screenshot-35.png

Bobby · Answer

Hi there,

This is quite unlikely to be coming from DigitalOcean.

Can you confirm the following:

Are you using a VPN? If so does it work without you being connected to the VPN?
Are you accessing the server from a corporate network? If so have you tried accessing the site from another network like your 3G/4G for example?
Are you using Cloudflare? If so, can you try disabling it for a moment and try again?

Let me know how it goes!

Best,

Bobby

alexdo · Answer

Hello there,

As mentioned it’s unlikely to be coming from DigitalOcean.

You can examine the server access logs and check for malicious requests and general spikes in the load on the server in order to determine whether there was an issue related to a vast amount of traffic or not.

Regards

KFSys · Answer

Heya,

Below are several steps and considerations to troubleshoot and potentially resolve the issue. Please be aware that some steps might require technical proficiency with server administration and network security.

1. Check Server Logs

Check the server logs to see if there are any indications of unauthorized access attempts or other suspicious activity.

sudo cat /var/log/nginx/error.log
sudo cat /var/log/nginx/access.log
sudo cat /var/log/auth.log

Investigate any suspicious IP addresses, URLs, or user agents that you find in the logs.

2. Inspect Nginx Configuration

Check the configuration files for any abnormalities, misconfigurations, or unauthorized modifications.

3. Review Firewall Settings

Review the firewall settings on your server to ensure that there are no unnecessary ports open and that the firewall is configured correctly.

sudo ufw status

4. Scan for Malware

Run a malware scan on your server to ensure that it hasn’t been compromised.

You can use ClamAV, a well-known antivirus software for Unix systems, to perform the scan.

sudo apt-get install clamav clamav-daemon
sudo freshclam
sudo clamscan -r --bell -i /

5. Check Application Code

If you are developing your own application, inspect your application code to ensure there are no vulnerabilities or security misconfigurations that might be causing this problem.

6. Blocked by External Firewall/Security Software

The error message you provided typically appears when access is blocked by some firewall or security software. This could be at your ISP, on your local machine, or some security software running on your server. If the blocking is occurring at your local network or machine, try accessing your site from a different network or device to see if the problem persists.