ToddW

Well-Known Member
Jan 3, 2004
103
0
166
As of yesterday CSF/LFD is now preventing the ECOM stores on my server from connecting to UPS to get a quote for shipment.

If I disable CSF/LFD it works just fine, so I know this is the cause.

I don't see any UPS IPs blocked.

Any suggestions?
 

ToddW

Well-Known Member
Jan 3, 2004
103
0
166
To follow-up there are no IPs banned, I flushed the ban list, and it still doesn't work.

If I disable CFS/LFD it works.

How did this 'new' rule get in place by itself that I don't know about and can't find that's blocking server access --> UPS ?
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
466
113
UK
cPanel Access Level
Root Administrator
Probably better placed on the actual CSF Forums :

Couple of things to look for -
Is it the process that is being blocked ? (Check the /var/log/lfd.log - available from the CSF menu)
Is the IP of your UPS service in one or other of any RBL's that you have enabled in CSF ?
 

ToddW

Well-Known Member
Jan 3, 2004
103
0
166
So, I'm not sure what LFD / CFS is triggering this block.

But, I've added the UPS IPs (2) to the allow list, and ignore for LFD.
I also added the Akamai domains UPS uses to the 'domain' list on the LFD to ignore all hosts in that file.

now UPS gets rates.

However I need to still find the 'issue' causing this, it just started.
 

ToddW

Well-Known Member
Jan 3, 2004
103
0
166
Probably better placed on the actual CSF Forums :

Couple of things to look for -
Is it the process that is being blocked ? (Check the /var/log/lfd.log - available from the CSF menu)
Is the IP of your UPS service in one or other of any RBL's that you have enabled in CSF ?
The process randomly sends me warning e-mails, but I added it to the block list EXE and CMD and that didn't change/fix anything.

The problem is the "IP" isn't an IP because UPS uses Akamai so there are tons of IPs from UPS.

I flushed the Block lists and it still didn't work.

the only way I have it working now is adding the 2 UPS IPs to allow list, ignore list, and adding 4 akamai (UPS related) FQDN to the Ingnore Hostname file.

I'm not sure what rule is triggering it.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
466
113
UK
cPanel Access Level
Root Administrator
Have you tried using /etc/csf/csf.dyndns ? (lfd Dynamic DNS)
 

ToddW

Well-Known Member
Jan 3, 2004
103
0
166
Have you tried using /etc/csf/csf.dyndns ? (lfd Dynamic DNS)
That's where I put the akamaie / ups domains (4) and it started working again after that.

Trying to figure out what rule is being tripped as I've had this exact setup for 2+ years 0 problems, and then yesterday, bam, UPS connection issues.


Remove the whitelisted IPs to test some more. Open the Watch System Logs tool in CSF, and initiate a quote for shipment as you do and see if anything shows up in that log.

What's the email from csf/lfd say exactly?
I did this prior, and couldn't find anything in there about the "server" connecting to someone else.

The E-Mail is about a suspicious process, which is the "ECOM" software as it's compiled so it runs like "ecomsoftware" with the full path, and the suspicious activity is it connecting on port 443 to IP, which is also what it's trying to do for a UPS quote.

So I think this is what's blocking it, however I added the "ecomsoftware" CMD and full path executable to the 'ignore' list of CMD and EXE and it still wasn't working, only when I did the Dynamic DNS did it start working.

So I have it band-aided, but I'd like to find the 'real issue' as far as what's triggering it.

LFD ON SERVER: Suspicious process under under user userName
Executable:

/home/userName/public_html/cgi-bin/appName


Command Line (often faked in exploits):

appName


Network connections by the process (if any):

tcp: SERVERIP -> 23.209.125.179:443
http://23.209.125.179:443/

If you check that IP it's the Akamai IP.




Since this "is" the issue to me, I don't get why adding "appName" and that full executable path + app name to ignore list for LFD didn't actually stop the problems.

Or why did this become an issue yesterday as it's been doing this for years.