CSF Firewall Deny list issue

[Gareth-AWD]

IP addresses not in Firewall Deny List list but are being blocked.

I've noticed on 3 of our servers that when somebody goes into the Firewall block list, they call up and I can't find them. Yet if I clear the list and restart they can then get on fine.

The csf deny list seems to reach it's limit then stops showing new IPs on the list but it appears they are being blocked.

It never use to do this and it happens on all 3 servers. Any insight?

 

[keat63]

Are they on the temporary list ?

 

[fuzzylogic]

What makes the client think that it was csf that blocked them.
What errors did they see or what changes in behavior from your server did they see.
Could they not access website frontend, cPanel, email?
If they were receiving 403 responses from the web server, for instance, then they were not in the deny list.

I suggest you search /var/log/lfd.log for the ips that were blocked.
You will most likely find a log entry similar to the following...
May 20 21:11:12 host lfd[10000]: Incoming IP xx.xx.xx.xx temporary block removed

Temporary blocked ips are not held in the csf deny list.
You can view current temporary blocked ips by clicking the "Temporary IP Entries" button at
Home » Plugins » ConfigServer Security & Firewall main page.

That said, by the time the client contacted you and you went looking the default 3600 seconds could have expired and those ips could have been removed from that list.

Sorry Keat I spent too long typing and you beat me to the point.

 

[keat63]

 

[cPanelLauren]

The suggestions by @keat63 and @fuzzylogic are spot on, it's possible they are temporary blocks, it would also be useful to find more information from /var/log/lfd.log