CSF no longer blocking IP Address after WHM update 98.0.6

Operating System & Version
centos 7
cPanel & WHM Version
11.98.0

DevTeam9200

Member
Jan 29, 2018
11
2
3
Australia
cPanel Access Level
Root Administrator
Hi Team,

I just noticed IP addresses in /etc/csf/csf.deny are not being blocked any more since WHM update 98.0.6 I am aware this may be a CSF issue but wanted to share. I thought at first this was just one server but i have checked on 11 servers and all are having same issue.

1. whm1 - cloudlinux - no cloudflare - no engintron = /etc/csf/csf.deny ip address added manually $csf -d x.x.x.x. and it does not block ip address. IP can still see all websites on server and continue to spam.

2. whm2 - litespeed enterpise - Cloudflare = = /etc/csf/csf.deny ip address added manually $csf -d x.x.x.x. and it does not block ip address. IP can still see all websites on server and continue to spam.

3. whm + engintron + cloudflare = same no working.

Common thing is they are all recently on whm v98.0.6 and csf no longer blocks ip addresses.

It how ever does block Ports fine. Example port 80 or 443 can be blocked and works.

I would love any assistance from anyone out there! How to troubleshoot such an issue here?

I notice this may be CSF related but I want to see if any one else can replicate this issue as well?

Oh and csf version

[[email protected] ~]# csf -v
csf: v14.10 (cPanel)
[[email protected] ~]#


Also posted this on CSF Website Forum but they are very slow and in responsive.
 
Last edited by a moderator:
  • Like
Reactions: The Old Man

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,810
895
313
cPanel Access Level
Root Administrator
Hey there! To test this on my end, I did the following:

-removed my IP address from the csf.allow file
-ran the "csf -d x.x.x.x" command to block the IP
-confirmed in the output that traffic was dropped

At this point I could still visit all the sites on my server, so I have confirmed the issue.

You'll definitely want to reach out to CSF about this behavior at they may have a more widespread issue happening, but there isn't anything in WHM that would affect this.
 
  • Like
Reactions: The Old Man

quietFinn

Well-Known Member
Feb 4, 2006
1,299
127
193
Finland
cPanel Access Level
Root Administrator
I tested this and blocking worked as expected, Centos 7.9 kvm, WHM 98.0.6, csf 14.10
 
  • Like
Reactions: cPRex

DevTeam9200

Member
Jan 29, 2018
11
2
3
Australia
cPanel Access Level
Root Administrator
0
[/QUOTE]
Hey there! To test this on my end, I did the following:

-removed my IP address from the csf.allow file
-ran the "csf -d x.x.x.x" command to block the IP
-confirmed in the output that traffic was dropped

At this point I could still visit all the sites on my server, so I have confirmed the issue.

You'll definitely want to reach out to CSF about this behavior at they may have a more widespread issue happening, but there isn't anything in WHM that would affect this.
I have tried reaching out to CSF and they do not even want to recognise it as a bug and moved to general discussion and no response their forums are quite disappointing compared to their product is usually a good one .

There is definitely an issue here and definitely not isolated as we can both replicate on various different testing .

where to from here is the question? Ditch csf ? I guess when will cPanel include a goood firewall as part of WHM
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,810
895
313
cPanel Access Level
Root Administrator
We have no plans to include a firewall at this time, or at least any plans that I am aware of. We try and stay hands-off with that area of the server.

I would guess CSF will reply at some point, but I'm doing some additional testing on my end as well.
 

DevTeam9200

Member
Jan 29, 2018
11
2
3
Australia
cPanel Access Level
Root Administrator
I tested this and blocking worked as expected, Centos 7.9 kvm, WHM 98.0.6, csf 14.10
Hi Finn, weird worked for you. Are you sure you doing same testing we did? Ie testing blocking of IP from being able to view the websites .

ie add ip to csf.deny then view a website running on server you will see it’s not blocked . Can still view website on http or https .

Cheers
 

DevTeam9200

Member
Jan 29, 2018
11
2
3
Australia
cPanel Access Level
Root Administrator
We have no plans to include a firewall at this time, or at least any plans that I am aware of. We try and stay hands-off with that area of the server.

I would guess CSF will reply at some point, but I'm doing some additional testing on my end as well.
Thanks @cPRex ! Yeah I am sure they will respond if they acknowledge the bug firstly . But yes understood on the stay away part as well. Was just a thought to make whm all in one.

please do keep me posted on any updates on this one if you find anything or get a different outcome. As I said I tried on many of our servers and Clients servers and replicated it on many .

I will also update if we get any update from csf forum on post here :

 
  • Like
Reactions: cPRex

quietFinn

Well-Known Member
Feb 4, 2006
1,299
127
193
Finland
cPanel Access Level
Root Administrator
Hi Finn, weird worked for you. Are you sure you doing same testing we did? Ie testing blocking of IP from being able to view the websites .

ie add ip to csf.deny then view a website running on server you will see it’s not blocked . Can still view website on http or https .

Cheers
I added my own IP:
csf -d xxx.xxx.xxx.xxx
After that I could not connect to a site in that server.

Then I removed that block line in /etc/csf/csf.deny (from a laptop using another IP), and ran:
csf -ra
and after that I was able to access that site.

It does not mean that it's not a bug, but it means that it does not affect every server running WHM 98.0.
 
  • Like
Reactions: DevTeam9200

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
621
202
343
cPanel Access Level
DataCenter Provider
Just for curiosity, have you run

Code:
iptables -L -n
To see if the IP is in the DENYIN/DENYOUT chains? To figure out where the issue is you have to see if it's being added to the chain (CSF issue) or if it is added, but not working, then it's possibly an iptables issue?
 

DevTeam9200

Member
Jan 29, 2018
11
2
3
Australia
cPanel Access Level
Root Administrator
Just for curiosity, have you run

Code:
iptables -L -n
To see if the IP is in the DENYIN/DENYOUT chains? To figure out where the issue is you have to see if it's being added to the chain (CSF issue) or if it is added, but not working, then it's possibly an iptables issue?
Hi ffeindgol,
Thanks for the reply and additional tips to check That a was a great idea. Thanks.

FYI the IP Address I used was on a test 4g phone: 110.54.174.83

Also to add:

[[email protected] ~]# iptables --version
iptables v1.4.21
[[email protected] ~]#


[[email protected] ~]# iptables -L -n | grep '110.54.174.83'
DROP all -- 110.54.174.83 0.0.0.0/0
LOGDROPOUT all -- 0.0.0.0/0 110.54.174.83
[[email protected] ~]#

The above is from below snippet . FYI the DROP 0.0.0.0 for ports 8080 and 8443 are for Engintron. I suspected this may be causing issue but have tested on another server without Engintron and was able to replicate as was @cPRex so I assumed not relevant in the equation here.

Chain DENYIN (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
DROP all -- 216.244.66.242 0.0.0.0/0
DROP all -- 110.54.174.83 0.0.0.0/0
DROP all -- 66.85.133.136 0.0.0.0/0

Chain DENYOUT (1 references)
target prot opt source destination
LOGDROPOUT all -- 0.0.0.0/0 216.244.66.242
LOGDROPOUT all -- 0.0.0.0/0 110.54.174.83
LOGDROPOUT all -- 0.0.0.0/0 66.85.133.136
 

hicom

Well-Known Member
May 23, 2003
292
6
168
I can confirm we have the same problem. Our CSF firewall suddenly does not Deny IP addresses. The IP address is not listed in iptables , so I suspect its something wrong with CSF/LFD Firewall. Tried reinstalling CSF with fresh configs/data files and still the same issue. It has been working fine for many years on this server.

cPanel 96.0.15
CentOS 7 3.10.0-962.3.2.lve1.5.52.el7.x86_64

We were able to resolve it by disabling FASTSTART in the CSF Firewall Configuration option
 
Last edited: