CSF Firewall Behaviour chaged after recent update

[Peoplespaces]

I notice that all of a sudden after the update too 11.52.0 that many notifications are no longer working with CSF firewall. It's happening on each server after they updated. Anyone else seeing this? Any suggestions as to why? No answers on the configserver forum.

 

[Infopro]

What notifications are you not getting exactly?

 

[Peoplespaces]

Root access and relay alerts for sure. There may be others. I am receiving block, excessive and suspicious process notices.

 

[Infopro]

I'm unable to verify this on my end, alerts seem to be working as expected. Not sure how to manually force a relay alert, but cPanel and root access alerts work.

Remove your IP from csf.ignore, restart CSF/LFD, logout of WHM and then back in to check.

 

[Peoplespaces]

Nope that did not work. Tried changing the syslog settings and did a restart and that changed nothing as well. Checked my receiving email account to verify that the sending servers' email addresses were in the allowed groups. OK. Checked the junk mail files. Nothing there. I am at a bit of a loss now.

 

[Peoplespaces]

Here's something interesting. Not sure it's related. It's the cPanel error log.

cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428
cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033
cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884
cpanel::cpsrvd::script() called at cpsrvd.pl line 379
[2015-11-17 09:50:08 -0500] warn [cpsrvd] Duplicate logaccess:  at /usr/local/cpanel/Cpanel/Server/Logger.pm line 84, line 2. Cpanel::Server::Logger::logaccess(Cpanel::Server::Logger=HASH(0x37371c8)) called at /usr/local/cpanel/Cpanel/Server.pm line 379 Cpanel::Server::logaccess(Cpanel::Server=HASH(0x38e75c8)) called at cpsrvd.pl line 3106 cpanel::cpsrvd::logaccess() called at cpsrvd.pl line 2761 cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428 cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884 cpanel::cpsrvd::script() called at cpsrvd.pl line 379 at /usr/local/cpanel/Cpanel/Server/Logger.pm line 84, line 2. Cpanel::Server::Logger::logaccess(Cpanel::Server::Logger=HASH(0x37371c8)) called at /usr/local/cpanel/Cpanel/Server.pm line 379 Cpanel::Server::logaccess(Cpanel::Server=HASH(0x38e75c8)) called at cpsrvd.pl line 3106 cpanel::cpsrvd::logaccess() called at cpsrvd.pl line 2761 cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428 cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884 cpanel::cpsrvd::script() called at cpsrvd.pl line 379

 

[Peoplespaces]

Just an update. I am receiving relay alerts. Not secure logins though.

 

[Infopro]

Just for fun, can you login from another IP address?

 

[Peoplespaces]

Hey. Weird. I did that and got the notice. I guess it works after all.

 

[Infopro]

About this:

No answers on the configserver forum.

It's not that they don't reply to posts over there, they do.

IMHO, if you don't get a reply, look closer at/for the details in your config. For example:

Send an email alert if anyone accesses WHM/cPanel via an account listed in
LF_CPANEL_ALERT_USERS. An IP address will be reported again 1 hour after the
last tracked access (or if lfd is restarted)

Happy to hear you got this one figured out.

 

[Peoplespaces]

Thanks for your help. Not sure why it won't notify me of my sign-ins but as long as I know about sign-ins from other IP addresses, that's what counts.