Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel and lfd IP block messages

Discussion in 'Security' started by magicalwonders, Nov 18, 2014.

  1. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    112
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    Everytime an attempt is made to login to my server, I receive two messages as in the following examples -

    One will come from cPanel -

    And then another one from root@hostname.mydomain.com with the subject line -
    lfd on hostname.mydomain.com: blocked 91.201.244.50 (UA/Ukraine/-)

    Two questions arise from this.

    1. As the second email is reporting a permanent block of the IP address, I assume there is no need to click any links in the first email adding the IP to the blacklist?

    2. If the IPs are automatically blocked or banned, is there any way to stop these notifications and just be advised of successful logins?

    Hope someone can advise. :)
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    88
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    1. Correct, if the server is already blocking it you don't need to block manually.

    2. Set LF_PERMBLOCK_ALERT = "0" in csf.conf or via WHM. There are other alert settings you can review as well.
     
  3. magicalwonders

    magicalwonders Well-Known Member

    Joined:
    Nov 21, 2012
    Messages:
    112
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Great. Thanks for the assistance and advice. :)
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Lor

    Lor Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    156
    I did but still receive emails about permanent block IPs.

    Any more ideas?
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you verify which email notification you received?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,011
    Likes Received:
    88
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Did you fully restart CSF/LFD via WHM after making the change? Just restarting CSF will not make the change effective.
     
  8. Lor

    Lor Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    156
    I understand CSF/LFD restarted after change setting via WHM
     
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you verify the email you are receiving is actually from CSF/LFD? Are you sure it's the same email reported by the original poster?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Lor

    Lor Well-Known Member

    Joined:
    Apr 29, 2005
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    156
    This is the email:

    Code:
    lfd on server.xxxxxx.com: blocked 000.000.000.000 (ID/Indonesia/-)
    
    
    Time:  Wed Nov 11 22:42:32 2015 -0700
    IP:  000.000.000.000 (ID/Indonesia/-)
    Failures: 5 (ftpd)
    Interval: 3600 seconds
    Blocked:  Permanent Block
    
    Log entries:
    
    Nov 11 22:41:57 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user]
    Nov 11 22:42:03 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user]
    Nov 11 22:42:11 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user]
    Nov 11 22:42:23 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user]
    Nov 11 22:42:29 server pure-ftpd: (?@000.000.000.000) [WARNING] Authentication failed for user [user]
    
    --------------------------------------
    
    // 000.000.000.000 is IP address
     
    #10 Lor, Nov 12, 2015
    Last edited by a moderator: Nov 12, 2015
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,478
    Likes Received:
    421
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Your options are located in this section of CSF:
    Login Failure Blocking and Alerts
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice