Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

CSF Firewall Deny list issue

Discussion in 'Security' started by Gareth-AWD, May 24, 2018.

  1. Gareth-AWD

    Gareth-AWD Well-Known Member

    Joined:
    Jul 3, 2008
    Messages:
    178
    Likes Received:
    4
    Trophy Points:
    68
    Location:
    London, UK
    cPanel Access Level:
    Root Administrator
    IP addresses not in Firewall Deny List list but are being blocked.

    I've noticed on 3 of our servers that when somebody goes into the Firewall block list, they call up and I can't find them. Yet if I clear the list and restart they can then get on fine.

    The csf deny list seems to reach it's limit then stops showing new IPs on the list but it appears they are being blocked.

    It never use to do this and it happens on all 3 servers. Any insight?
     
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,013
    Likes Received:
    45
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Are they on the temporary list ?
     
    cPanelLauren likes this.
  3. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    92
    Likes Received:
    50
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    What makes the client think that it was csf that blocked them.
    What errors did they see or what changes in behavior from your server did they see.
    Could they not access website frontend, cPanel, email?
    If they were receiving 403 responses from the web server, for instance, then they were not in the deny list.

    I suggest you search /var/log/lfd.log for the ips that were blocked.
    You will most likely find a log entry similar to the following...
    May 20 21:11:12 host lfd[10000]: Incoming IP xx.xx.xx.xx temporary block removed

    Temporary blocked ips are not held in the csf deny list.
    You can view current temporary blocked ips by clicking the "Temporary IP Entries" button at
    Home » Plugins » ConfigServer Security & Firewall main page.

    That said, by the time the client contacted you and you went looking the default 3600 seconds could have expired and those ips could have been removed from that list.

    Sorry Keat I spent too long typing and you beat me to the point.
     
    #3 fuzzylogic, May 24, 2018
    Last edited: May 24, 2018
    cPanelLauren likes this.
  4. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,013
    Likes Received:
    45
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
  5. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,072
    Likes Received:
    215
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    The suggestions by @keat63 and @fuzzylogic are spot on, it's possible they are temporary blocks, it would also be useful to find more information from /var/log/lfd.log
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice