CSF keeps blocking IP addresses of customers.

[digitalrefresh]

I have been using CSF Config Security & Firewalldf for a while now and when I first set it up I had to keep adding customers IP addresses to the "Allow List" cue to being blocked.

Now this keeps happening soon as a customer takes their laptop home and uses their house address / IP to access their emails.

Is there a setting that is kicking in or can be turned off to prevent it being so sensitive and blocking anyone access emails elsewhere?

I know there are limits in place which block IP address when there are so many failed login attempts etc, but this is quite simply a customer taking their computer home and being blocked.

There must be something that can be done to prevent this as I can't keep adding IP addresses to the allow list each time a customer goes to work from home or a local coffee shop.

Any help much appreciated.

Thanks

 

[vacancy]

Hard to say without knowing your csf configuration.

Your login brute force settings may be sensitive, your customer may be banned if they make incorrect password attempts, or if they are using software such as outlook and trying to automatically login to an account with a changed password, there may be a ban. I suggest watching the csf ban logs to determine why your client was banned. You can change the csf settings accordingly.

 

[Diego Piquero]

I would try using tcpdump to the IP to see if it's really whitelisted and if the trafic is going outside, also check for the logs of cPHulk as once I had an IP whitlisted through CSF but cphulk banned the ip.

 

[quietFinn]

@digitalrefresh
what are your settings for
LF_POP3D
LF_POP3D_PERM
LF_IMAPD
LF_IMAPD_PERM

 

[cPRex]

Thanks for the great responses, everyone! It's important to note that cPanel doesn't make or distribute CSF so if you're seeing odd issues there you may want to reach out to their team directly at Technical Support

With that being said, I haven't seen other reports of this issue so I don't have much to add that hasn't been posted already.

 

[digitalrefresh]

Thanks for the responses about this guys and gals.

+ I do have brute force settings active for failed login attempts but there's no failed login attempt as they are just using their laptop in a different location.

+ I also checked the white / blacklist management under CP Hulk but nothing was there.

+ CSF Logs don't indicate anything unless I'm not understanding them properly.

+ LF_POP3D , LF_POP3D_PERM , LF_IMAPD , LF_IMAPD_PERM are set to default, 10 and 1 respectively.

I didn't think to check for their own support, so will send them a message also to see if they can shed any light on it.

Thanks again.

 

[cPRex]

When you find the IPs blocked, are they listed in CSF_DENY?

 

[quietFinn]

When a customer's IP is blocked go to WHM -> Plugins -> ConfigServer Security & Firewall -> Server Information -> Search System Logs
and search for the IP in /var/log/lfd.log

 

[Diego Piquero]

Have you looked at cPhulk logs?

/usr/local/cpanel/logs/cphulkd.log

/usr/local/cpanel/logs/cphulkd_errors.log

I had it blocking an IP but not showing it in the blacklist, once I looked at the logs found the issue