cPanel and lfd IP block messages

magicalwonders

Well-Known Member
Nov 21, 2012
112
2
18
cPanel Access Level
Root Administrator
Hello,

Everytime an attempt is made to login to my server, I receive two messages as in the following examples -

One will come from cPanel -

5 failed login attempts to account mydomain (system) -- Large number of attempts from this IP: 91.201.244.50
Origin Country: Ukraine (UA)

Please use the following links to add to the black list:

Single IP: https://hostname.mydomain.com:2087/cgi/bl.cgi?ip=91.201.244.50
/24: https://hostname.mydomain.com:2087/cgi/bl.cgi?ip=91.201.244.0/24
/16: https://hostname.mydomain.com:2087/cgi/bl.cgi?ip=91.201.0.0/16



Please use the following links to add to the white list:

Single IP: https://hostname.mydomain.com:2087/cgi/wl.cgi?ip=91.201.244.50
/24: https://hostname.mydomain.com:2087/cgi/wl.cgi?ip=91.201.244.0/24
/16: https://hostname.mydomain.com:2087/cgi/wl.cgi?ip=91.201.0.0/16
And then another one from [email protected] with the subject line -
lfd on hostname.mydomain.com: blocked 91.201.244.50 (UA/Ukraine/-)

Time: Fri Oct 24 06:25:44 2014 +0100
IP: 91.201.244.50 (UA/Ukraine/-)
Failures: 10 (ftpd)
Interval: 3600 seconds
Blocked: Permanent Block
Two questions arise from this.

1. As the second email is reporting a permanent block of the IP address, I assume there is no need to click any links in the first email adding the IP to the blacklist?

2. If the IPs are automatically blocked or banned, is there any way to stop these notifications and just be advised of successful logins?

Hope someone can advise. :)
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
1. Correct, if the server is already blocking it you don't need to block manually.

2. Set LF_PERMBLOCK_ALERT = "0" in csf.conf or via WHM. There are other alert settings you can review as well.
 

Lor

Well-Known Member
Apr 29, 2005
63
0
156
2. Set LF_PERMBLOCK_ALERT = "0" in csf.conf or via WHM. There are other alert settings you can review as well.
I did but still receive emails about permanent block IPs.

Any more ideas?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Could you verify which email notification you received?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
I understand CSF/LFD restarted after change setting via WHM
Could you verify the email you are receiving is actually from CSF/LFD? Are you sure it's the same email reported by the original poster?

Thank you.
 

Lor

Well-Known Member
Apr 29, 2005
63
0
156
Could you verify the email you are receiving is actually from CSF/LFD? Are you sure it's the same email reported by the original poster?

Thank you.
This is the email:

Code:
lfd on server.xxxxxx.com: blocked 000.000.000.000 (ID/Indonesia/-)


Time:  Wed Nov 11 22:42:32 2015 -0700
IP:  000.000.000.000 (ID/Indonesia/-)
Failures: 5 (ftpd)
Interval: 3600 seconds
Blocked:  Permanent Block

Log entries:

Nov 11 22:41:57 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user]
Nov 11 22:42:03 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user]
Nov 11 22:42:11 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user]
Nov 11 22:42:23 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user]
Nov 11 22:42:29 server pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user]

--------------------------------------
// 000.000.000.000 is IP address
 
Last edited by a moderator:

000

Well-Known Member
Jun 3, 2008
533
29
78
my

/etc/csf/csf.conf

show:
Code:
# Set LF_PERMBLOCK to "0" to disable this feature
LF_PERMBLOCK = "1"
LF_PERMBLOCK_INTERVAL = "86400"
LF_PERMBLOCK_COUNT = "4"
LF_PERMBLOCK_ALERT = "0"
however yet continue recibing:
Code:
lfd on myhost: blocked 223.255.28.203 (CN/China/-)  
Para: [email protected]
Time:     Wed Mar 10 19:37:46 2021 +0000
IP:       223.255.28.203 (CN/China/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked:  Permanent Block [LF_SSHD]

Log entries:

Mar 10 19:24:09 todo sshd[48532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.255.28.203  user=root
Mar 10 19:24:11 todo sshd[48532]: Failed password for root from 223.255.28.203 port 60965 ssh2
Mar 10 19:34:57 todo sshd[48856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.255.28.203  user=root
Mar 10 19:34:59 todo sshd[48856]: Failed password for root from 223.255.28.203 port 54020 ssh2
Mar 10 19:37:42 todo sshd[49092]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=223.255.28.203  user=root
what I can do BEFORE of GMAIL mark my IP as SPAM ?