CSF keeps blocking IP addresses of customers.

Jun 1, 2020
12
1
3
Oldham, England
cPanel Access Level
Reseller Owner
I have been using CSF Config Security & Firewalldf for a while now and when I first set it up I had to keep adding customers IP addresses to the "Allow List" cue to being blocked.

Now this keeps happening soon as a customer takes their laptop home and uses their house address / IP to access their emails.

Is there a setting that is kicking in or can be turned off to prevent it being so sensitive and blocking anyone access emails elsewhere?

I know there are limits in place which block IP address when there are so many failed login attempts etc, but this is quite simply a customer taking their computer home and being blocked.

There must be something that can be done to prevent this as I can't keep adding IP addresses to the allow list each time a customer goes to work from home or a local coffee shop.

Any help much appreciated.

Thanks
 

vacancy

Well-Known Member
Sep 20, 2012
542
214
93
Turkey
cPanel Access Level
Root Administrator
Hard to say without knowing your csf configuration.

Your login brute force settings may be sensitive, your customer may be banned if they make incorrect password attempts, or if they are using software such as outlook and trying to automatically login to an account with a changed password, there may be a ban. I suggest watching the csf ban logs to determine why your client was banned. You can change the csf settings accordingly.
 
  • Like
Reactions: cPRex

Diego Piquero

Member
Jan 13, 2022
22
3
3
España
cPanel Access Level
Root Administrator
I would try using tcpdump to the IP to see if it's really whitelisted and if the trafic is going outside, also check for the logs of cPHulk as once I had an IP whitlisted through CSF but cphulk banned the ip.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Thanks for the great responses, everyone! It's important to note that cPanel doesn't make or distribute CSF so if you're seeing odd issues there you may want to reach out to their team directly at Technical Support

With that being said, I haven't seen other reports of this issue so I don't have much to add that hasn't been posted already.
 
Jun 1, 2020
12
1
3
Oldham, England
cPanel Access Level
Reseller Owner
Thanks for the responses about this guys and gals.

+ I do have brute force settings active for failed login attempts but there's no failed login attempt as they are just using their laptop in a different location.

+ I also checked the white / blacklist management under CP Hulk but nothing was there.

+ CSF Logs don't indicate anything unless I'm not understanding them properly.

+ LF_POP3D , LF_POP3D_PERM , LF_IMAPD , LF_IMAPD_PERM are set to default, 10 and 1 respectively.

I didn't think to check for their own support, so will send them a message also to see if they can shed any light on it.

Thanks again.
 

quietFinn

Well-Known Member
Feb 4, 2006
1,696
352
438
Finland
cPanel Access Level
Root Administrator
When a customer's IP is blocked go to WHM -> Plugins -> ConfigServer Security & Firewall -> Server Information -> Search System Logs
and search for the IP in /var/log/lfd.log
 

Diego Piquero

Member
Jan 13, 2022
22
3
3
España
cPanel Access Level
Root Administrator
Have you looked at cPhulk logs?

/usr/local/cpanel/logs/cphulkd.log

/usr/local/cpanel/logs/cphulkd_errors.log


I had it blocking an IP but not showing it in the blacklist, once I looked at the logs found the issue