The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF Firewall Won't Block IP's

Discussion in 'Security' started by robobobo, Jul 15, 2014.

  1. robobobo

    robobobo Member

    Joined:
    Jan 4, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Strange thing going on, looking at my lfd.log file, I can see that there is multiple SSH attempts from dodgy IP addresses, the log file says it blocks them, and then on the next line of the log file it says it can't block them as they are in the allow list.

    A typical one looks like this

    Code:
    Jul 13 07:26:40 server1 lfd[26327]: (sshd) Failed SSH login from 1.93.34.243 (CN/China/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
    Jul 13 07:26:50 server1 lfd[26362]: *Error*: csf output: deny failed: 1.93.34.243 is in the allow file /etc/csf/csf.allow
    
    
    I can assure you none of these IP addresses are in my allow.csf, I have triple checked and only a handful of IP's are in there which I have added.

    Even if I manually try block that IP with quick block in WHM it won't let me as it says again that it is in the allow file, but it's definitely not

    Any idea what's going on here? It's happening with a dozen or so IP addresses
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Have you checked the contents of /etc/csf/csf.allow directly (i.e. from a shell)? It is possible there is a cidr range or something in there causing this.
     
  3. robobobo

    robobobo Member

    Joined:
    Jan 4, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Yep went in there and checked as well, I do have a range specified for Cloudflare, but the ip addresses are completely different as far as I can tell
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This is odd; I've never seen CSF do that for IPs that are not listed in csf.allow or part of a CIDR range listed in csf.allow.

    Perhaps check the syntax of your cidr ranges with a tool such as CIDR Utility Tool | IP Address Guide

    I'm sure you don't want to post your csf.allow file publicly, but if you want to PM it to me I can take a glance as well.
     
  5. robobobo

    robobobo Member

    Joined:
    Jan 4, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I don't think I have any CIDR's anyway in the file, I PM'd you there with a copy of the file, thanks for this!
     
  6. robobobo

    robobobo Member

    Joined:
    Jan 4, 2013
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    We found the problem, I had inputted one of cloudlfare's IP address incorrectly!
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,675
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page