The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF Firewall Behaviour chaged after recent update

Discussion in 'Security' started by Peoplespaces, Nov 17, 2015.

  1. Peoplespaces

    Peoplespaces Well-Known Member

    Joined:
    Oct 1, 2001
    Messages:
    217
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I notice that all of a sudden after the update too 11.52.0 that many notifications are no longer working with CSF firewall. It's happening on each server after they updated. Anyone else seeing this? Any suggestions as to why? No answers on the configserver forum.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    194
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    What notifications are you not getting exactly?
     
  3. Peoplespaces

    Peoplespaces Well-Known Member

    Joined:
    Oct 1, 2001
    Messages:
    217
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Root access and relay alerts for sure. There may be others. I am receiving block, excessive and suspicious process notices.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    194
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm unable to verify this on my end, alerts seem to be working as expected. Not sure how to manually force a relay alert, but cPanel and root access alerts work.

    Remove your IP from csf.ignore, restart CSF/LFD, logout of WHM and then back in to check.
     
  5. Peoplespaces

    Peoplespaces Well-Known Member

    Joined:
    Oct 1, 2001
    Messages:
    217
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Nope that did not work. Tried changing the syslog settings and did a restart and that changed nothing as well. Checked my receiving email account to verify that the sending servers' email addresses were in the allowed groups. OK. Checked the junk mail files. Nothing there. I am at a bit of a loss now.
     
  6. Peoplespaces

    Peoplespaces Well-Known Member

    Joined:
    Oct 1, 2001
    Messages:
    217
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Here's something interesting. Not sure it's related. It's the cPanel error log.

    Code:
    cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428
    cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033
    cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884
    cpanel::cpsrvd::script() called at cpsrvd.pl line 379
    [2015-11-17 09:50:08 -0500] warn [cpsrvd] Duplicate logaccess:  at /usr/local/cpanel/Cpanel/Server/Logger.pm line 84, line 2. Cpanel::Server::Logger::logaccess(Cpanel::Server::Logger=HASH(0x37371c8)) called at /usr/local/cpanel/Cpanel/Server.pm line 379 Cpanel::Server::logaccess(Cpanel::Server=HASH(0x38e75c8)) called at cpsrvd.pl line 3106 cpanel::cpsrvd::logaccess() called at cpsrvd.pl line 2761 cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428 cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884 cpanel::cpsrvd::script() called at cpsrvd.pl line 379 at /usr/local/cpanel/Cpanel/Server/Logger.pm line 84, line 2. Cpanel::Server::Logger::logaccess(Cpanel::Server::Logger=HASH(0x37371c8)) called at /usr/local/cpanel/Cpanel/Server.pm line 379 Cpanel::Server::logaccess(Cpanel::Server=HASH(0x38e75c8)) called at cpsrvd.pl line 3106 cpanel::cpsrvd::logaccess() called at cpsrvd.pl line 2761 cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428 cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884 cpanel::cpsrvd::script() called at cpsrvd.pl line 379
    
    
     
  7. Peoplespaces

    Peoplespaces Well-Known Member

    Joined:
    Oct 1, 2001
    Messages:
    217
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Just an update. I am receiving relay alerts. Not secure logins though.
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    194
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just for fun, can you login from another IP address?
     
  9. Peoplespaces

    Peoplespaces Well-Known Member

    Joined:
    Oct 1, 2001
    Messages:
    217
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hey. Weird. I did that and got the notice. I guess it works after all.
     
    Infopro likes this.
  10. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    194
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    About this:

    It's not that they don't reply to posts over there, they do.

    IMHO, if you don't get a reply, look closer at/for the details in your config. For example:

    Happy to hear you got this one figured out. :)
     
  11. Peoplespaces

    Peoplespaces Well-Known Member

    Joined:
    Oct 1, 2001
    Messages:
    217
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Thanks for your help. Not sure why it won't notify me of my sign-ins but as long as I know about sign-ins from other IP addresses, that's what counts.
     
    Infopro likes this.
Loading...

Share This Page