CSF Firewall Behaviour chaged after recent update

Peoplespaces

Well-Known Member
Oct 1, 2001
262
6
318
cPanel Access Level
Root Administrator
I notice that all of a sudden after the update too 11.52.0 that many notifications are no longer working with CSF firewall. It's happening on each server after they updated. Anyone else seeing this? Any suggestions as to why? No answers on the configserver forum.
 

Infopro

Well-Known Member
May 20, 2003
17,090
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
I'm unable to verify this on my end, alerts seem to be working as expected. Not sure how to manually force a relay alert, but cPanel and root access alerts work.

Remove your IP from csf.ignore, restart CSF/LFD, logout of WHM and then back in to check.
 

Peoplespaces

Well-Known Member
Oct 1, 2001
262
6
318
cPanel Access Level
Root Administrator
Nope that did not work. Tried changing the syslog settings and did a restart and that changed nothing as well. Checked my receiving email account to verify that the sending servers' email addresses were in the allowed groups. OK. Checked the junk mail files. Nothing there. I am at a bit of a loss now.
 

Peoplespaces

Well-Known Member
Oct 1, 2001
262
6
318
cPanel Access Level
Root Administrator
Here's something interesting. Not sure it's related. It's the cPanel error log.

Code:
cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428
cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033
cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884
cpanel::cpsrvd::script() called at cpsrvd.pl line 379
[2015-11-17 09:50:08 -0500] warn [cpsrvd] Duplicate logaccess:  at /usr/local/cpanel/Cpanel/Server/Logger.pm line 84, line 2. Cpanel::Server::Logger::logaccess(Cpanel::Server::Logger=HASH(0x37371c8)) called at /usr/local/cpanel/Cpanel/Server.pm line 379 Cpanel::Server::logaccess(Cpanel::Server=HASH(0x38e75c8)) called at cpsrvd.pl line 3106 cpanel::cpsrvd::logaccess() called at cpsrvd.pl line 2761 cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428 cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884 cpanel::cpsrvd::script() called at cpsrvd.pl line 379 at /usr/local/cpanel/Cpanel/Server/Logger.pm line 84, line 2. Cpanel::Server::Logger::logaccess(Cpanel::Server::Logger=HASH(0x37371c8)) called at /usr/local/cpanel/Cpanel/Server.pm line 379 Cpanel::Server::logaccess(Cpanel::Server=HASH(0x38e75c8)) called at cpsrvd.pl line 3106 cpanel::cpsrvd::logaccess() called at cpsrvd.pl line 2761 cpanel::cpsrvd::servcontent("./robots.txt", "text/plain", 1, 0, 1, 1, 0) called at cpsrvd.pl line 4428 cpanel::cpsrvd::handle_unprotected_docs() called at cpsrvd.pl line 1033 cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 884 cpanel::cpsrvd::script() called at cpsrvd.pl line 379
 

Infopro

Well-Known Member
May 20, 2003
17,090
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
About this:

No answers on the configserver forum.
It's not that they don't reply to posts over there, they do.

IMHO, if you don't get a reply, look closer at/for the details in your config. For example:

Send an email alert if anyone accesses WHM/cPanel via an account listed in
LF_CPANEL_ALERT_USERS. An IP address will be reported again 1 hour after the
last tracked access (or if lfd is restarted)
Happy to hear you got this one figured out. :)