CSF Firewall Won't Block IP's

robobobo

Member
Jan 4, 2013
15
0
1
cPanel Access Level
Website Owner
Strange thing going on, looking at my lfd.log file, I can see that there is multiple SSH attempts from dodgy IP addresses, the log file says it blocks them, and then on the next line of the log file it says it can't block them as they are in the allow list.

A typical one looks like this

Code:
Jul 13 07:26:40 server1 lfd[26327]: (sshd) Failed SSH login from 1.93.34.243 (CN/China/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
Jul 13 07:26:50 server1 lfd[26362]: *Error*: csf output: deny failed: 1.93.34.243 is in the allow file /etc/csf/csf.allow
I can assure you none of these IP addresses are in my allow.csf, I have triple checked and only a handful of IP's are in there which I have added.

Even if I manually try block that IP with quick block in WHM it won't let me as it says again that it is in the allow file, but it's definitely not

Any idea what's going on here? It's happening with a dozen or so IP addresses
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Have you checked the contents of /etc/csf/csf.allow directly (i.e. from a shell)? It is possible there is a cidr range or something in there causing this.
 

robobobo

Member
Jan 4, 2013
15
0
1
cPanel Access Level
Website Owner
Yep went in there and checked as well, I do have a range specified for Cloudflare, but the ip addresses are completely different as far as I can tell
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
This is odd; I've never seen CSF do that for IPs that are not listed in csf.allow or part of a CIDR range listed in csf.allow.

Perhaps check the syntax of your cidr ranges with a tool such as CIDR Utility Tool | IP Address Guide

I'm sure you don't want to post your csf.allow file publicly, but if you want to PM it to me I can take a glance as well.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
I am happy to see you were able to resolve the issue. Thank you for updating us with the outcome.