The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF client constantly blocked

Discussion in 'Security' started by vpsstore, Oct 4, 2011.

  1. vpsstore

    vpsstore Member

    Joined:
    Nov 13, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hi There,

    I have a new hosting client and he is constantly getting blocked by CSF this is an example of the email I get when he is blocked:

    Code:
    Time:        Tue Oct  4 11:29:44 2011 +0100
    IP:          xxx.xxx.xxx.xxx (GB/United Kingdom/host-xxx-xxx-xxx-xxx.as43234.net)
    Connections: 370
    Blocked:     Temporary Block (IP match in csf.allow, block may not work)
    
    Connections:
    
    Connections:
    tcp: xxx.xxx.xxx.xxx:53374 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53143 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53267 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53140 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53441 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53179 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53163 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53457 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53130 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53139 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53357 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53102 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    tcp: xxx.xxx.xxx.xxx:53266 -> yyy.yyy.yyy.yyy:80 (TIME_WAIT)
    ......etc etc ad infinitum....
    Is there something up with his PC? obviously I have allowed him - but should I be investigating the cause further?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I would not suggest allowing this many connections. If I was to guess, he chose to download/upload an entire directory of files. You should ask him what he was doing, or take a closer look at your logs for clues.
     
  3. vpsstore

    vpsstore Member

    Joined:
    Nov 13, 2010
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Seems odd as he actually does not have CPanel access, email is hosted on google apps etc... he is simply accessing a website cp to add products to a store...
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    All the more reason not to add that IP to ignore. Something is up, check your logs right after he accesses the page again.
     
  5. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    Chances are he might have a virus or work on his PC trying todo stuff on the server
     
Loading...

Share This Page