The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF/LFD Problem

Discussion in 'General Discussion' started by ToddW, Aug 31, 2016.

Tags:
  1. ToddW

    ToddW Well-Known Member

    Joined:
    Jan 3, 2004
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    As of yesterday CSF/LFD is now preventing the ECOM stores on my server from connecting to UPS to get a quote for shipment.

    If I disable CSF/LFD it works just fine, so I know this is the cause.

    I don't see any UPS IPs blocked.

    Any suggestions?
     
  2. ToddW

    ToddW Well-Known Member

    Joined:
    Jan 3, 2004
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    To follow-up there are no IPs banned, I flushed the ban list, and it still doesn't work.

    If I disable CFS/LFD it works.

    How did this 'new' rule get in place by itself that I don't know about and can't find that's blocking server access --> UPS ?
     
  3. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    121
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Probably better placed on the actual CSF Forums :

    Couple of things to look for -
    Is it the process that is being blocked ? (Check the /var/log/lfd.log - available from the CSF menu)
    Is the IP of your UPS service in one or other of any RBL's that you have enabled in CSF ?
     
  4. ToddW

    ToddW Well-Known Member

    Joined:
    Jan 3, 2004
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    So, I'm not sure what LFD / CFS is triggering this block.

    But, I've added the UPS IPs (2) to the allow list, and ignore for LFD.
    I also added the Akamai domains UPS uses to the 'domain' list on the LFD to ignore all hosts in that file.

    now UPS gets rates.

    However I need to still find the 'issue' causing this, it just started.
     
  5. ToddW

    ToddW Well-Known Member

    Joined:
    Jan 3, 2004
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    The process randomly sends me warning e-mails, but I added it to the block list EXE and CMD and that didn't change/fix anything.

    The problem is the "IP" isn't an IP because UPS uses Akamai so there are tons of IPs from UPS.

    I flushed the Block lists and it still didn't work.

    the only way I have it working now is adding the 2 UPS IPs to allow list, ignore list, and adding 4 akamai (UPS related) FQDN to the Ingnore Hostname file.

    I'm not sure what rule is triggering it.
     
  6. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    121
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Have you tried using /etc/csf/csf.dyndns ? (lfd Dynamic DNS)
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Remove the whitelisted IPs to test some more. Open the Watch System Logs tool in CSF, and initiate a quote for shipment as you do and see if anything shows up in that log.

    What's the email from csf/lfd say exactly?
     
    ruzbehraja likes this.
  8. ToddW

    ToddW Well-Known Member

    Joined:
    Jan 3, 2004
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    That's where I put the akamaie / ups domains (4) and it started working again after that.

    Trying to figure out what rule is being tripped as I've had this exact setup for 2+ years 0 problems, and then yesterday, bam, UPS connection issues.


    I did this prior, and couldn't find anything in there about the "server" connecting to someone else.

    The E-Mail is about a suspicious process, which is the "ECOM" software as it's compiled so it runs like "ecomsoftware" with the full path, and the suspicious activity is it connecting on port 443 to IP, which is also what it's trying to do for a UPS quote.

    So I think this is what's blocking it, however I added the "ecomsoftware" CMD and full path executable to the 'ignore' list of CMD and EXE and it still wasn't working, only when I did the Dynamic DNS did it start working.

    So I have it band-aided, but I'd like to find the 'real issue' as far as what's triggering it.

    LFD ON SERVER: Suspicious process under under user userName
    Executable:

    /home/userName/public_html/cgi-bin/appName


    Command Line (often faked in exploits):

    appName


    Network connections by the process (if any):

    tcp: SERVERIP -> 23.209.125.179:443


    If you check that IP it's the Akamai IP.




    Since this "is" the issue to me, I don't get why adding "appName" and that full executable path + app name to ignore list for LFD didn't actually stop the problems.

    Or why did this become an issue yesterday as it's been doing this for years.

     
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    CSF has been updated a few times this past week.
    blog.configserver.com

    Agreed.
     
  10. ToddW

    ToddW Well-Known Member

    Joined:
    Jan 3, 2004
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Oddly, I can't access their domain / site... I'm on ATT Business connection.
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,456
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Strange, works for me here.
     
Loading...

Share This Page