CSF no longer blocking IP Address after WHM update 98.0.6

[DevTeam9200]

Hi Team,

I just noticed IP addresses in /etc/csf/csf.deny are not being blocked any more since WHM update 98.0.6 I am aware this may be a CSF issue but wanted to share. I thought at first this was just one server but i have checked on 11 servers and all are having same issue.

1. whm1 - cloudlinux - no cloudflare - no engintron = /etc/csf/csf.deny ip address added manually $csf -d x.x.x.x. and it does not block ip address. IP can still see all websites on server and continue to spam.

2. whm2 - litespeed enterpise - Cloudflare = = /etc/csf/csf.deny ip address added manually $csf -d x.x.x.x. and it does not block ip address. IP can still see all websites on server and continue to spam.

3. whm + engintron + cloudflare = same no working.

Common thing is they are all recently on whm v98.0.6 and csf no longer blocks ip addresses.

It how ever does block Ports fine. Example port 80 or 443 can be blocked and works.

I would love any assistance from anyone out there! How to troubleshoot such an issue here?

I notice this may be CSF related but I want to see if any one else can replicate this issue as well?

Oh and csf version

[[email protected] ~]# csf -v
csf: v14.10 (cPanel)
[[email protected] ~]#


Also posted this on CSF Website Forum but they are very slow and in responsive.

 

[cPRex]

Hey there! To test this on my end, I did the following:

-removed my IP address from the csf.allow file
-ran the "csf -d x.x.x.x" command to block the IP
-confirmed in the output that traffic was dropped

At this point I could still visit all the sites on my server, so I have confirmed the issue.

You'll definitely want to reach out to CSF about this behavior at they may have a more widespread issue happening, but there isn't anything in WHM that would affect this.

 

[quietFinn]

I tested this and blocking worked as expected, Centos 7.9 kvm, WHM 98.0.6, csf 14.10

 

[DevTeam9200]

0
[/QUOTE]

Hey there! To test this on my end, I did the following:

-removed my IP address from the csf.allow file
-ran the "csf -d x.x.x.x" command to block the IP
-confirmed in the output that traffic was dropped

At this point I could still visit all the sites on my server, so I have confirmed the issue.

You'll definitely want to reach out to CSF about this behavior at they may have a more widespread issue happening, but there isn't anything in WHM that would affect this.

I have tried reaching out to CSF and they do not even want to recognise it as a bug and moved to general discussion and no response their forums are quite disappointing compared to their product is usually a good one .

There is definitely an issue here and definitely not isolated as we can both replicate on various different testing .

where to from here is the question? Ditch csf ? I guess when will cPanel include a goood firewall as part of WHM

 

[cPRex]

We have no plans to include a firewall at this time, or at least any plans that I am aware of. We try and stay hands-off with that area of the server.

I would guess CSF will reply at some point, but I'm doing some additional testing on my end as well.

 

[DevTeam9200]

I tested this and blocking worked as expected, Centos 7.9 kvm, WHM 98.0.6, csf 14.10

Hi Finn, weird worked for you. Are you sure you doing same testing we did? Ie testing blocking of IP from being able to view the websites .

ie add ip to csf.deny then view a website running on server you will see it’s not blocked . Can still view website on http or https .

Cheers

 

[DevTeam9200]

We have no plans to include a firewall at this time, or at least any plans that I am aware of. We try and stay hands-off with that area of the server.

I would guess CSF will reply at some point, but I'm doing some additional testing on my end as well.

Thanks @cPRex ! Yeah I am sure they will respond if they acknowledge the bug firstly . But yes understood on the stay away part as well. Was just a thought to make whm all in one.

please do keep me posted on any updates on this one if you find anything or get a different outcome. As I said I tried on many of our servers and Clients servers and replicated it on many .

I will also update if we get any update from csf forum on post here :

CSF no longer blocking IP Address WHM v98.0.6 - ConfigServer Community Forum

 

[quietFinn]

Hi Finn, weird worked for you. Are you sure you doing same testing we did? Ie testing blocking of IP from being able to view the websites .

ie add ip to csf.deny then view a website running on server you will see it’s not blocked . Can still view website on http or https .

Cheers

I added my own IP:
csf -d xxx.xxx.xxx.xxx
After that I could not connect to a site in that server.

Then I removed that block line in /etc/csf/csf.deny (from a laptop using another IP), and ran:
csf -ra
and after that I was able to access that site.

It does not mean that it's not a bug, but it means that it does not affect every server running WHM 98.0.

 

[ffeingol]

Just for curiosity, have you run

iptables -L -n

To see if the IP is in the DENYIN/DENYOUT chains? To figure out where the issue is you have to see if it's being added to the chain (CSF issue) or if it is added, but not working, then it's possibly an iptables issue?

 

[DevTeam9200]

Just for curiosity, have you run

iptables -L -n

To see if the IP is in the DENYIN/DENYOUT chains? To figure out where the issue is you have to see if it's being added to the chain (CSF issue) or if it is added, but not working, then it's possibly an iptables issue?

Hi ffeindgol,
Thanks for the reply and additional tips to check That a was a great idea. Thanks.

FYI the IP Address I used was on a test 4g phone: 110.54.174.83

Also to add:

[[email protected] ~]# iptables --version
iptables v1.4.21
[[email protected] ~]#


[[email protected] ~]# iptables -L -n | grep '110.54.174.83'
DROP all -- 110.54.174.83 0.0.0.0/0
LOGDROPOUT all -- 0.0.0.0/0 110.54.174.83
[[email protected] ~]#

The above is from below snippet . FYI the DROP 0.0.0.0 for ports 8080 and 8443 are for Engintron. I suspected this may be causing issue but have tested on another server without Engintron and was able to replicate as was @cPRex so I assumed not relevant in the equation here.

Chain DENYIN (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
DROP all -- 216.244.66.242 0.0.0.0/0
DROP all -- 110.54.174.83 0.0.0.0/0
DROP all -- 66.85.133.136 0.0.0.0/0

Chain DENYOUT (1 references)
target prot opt source destination
LOGDROPOUT all -- 0.0.0.0/0 216.244.66.242
LOGDROPOUT all -- 0.0.0.0/0 110.54.174.83
LOGDROPOUT all -- 0.0.0.0/0 66.85.133.136

 

[hicom]

I can confirm we have the same problem. Our CSF firewall suddenly does not Deny IP addresses. The IP address is not listed in iptables , so I suspect its something wrong with CSF/LFD Firewall. Tried reinstalling CSF with fresh configs/data files and still the same issue. It has been working fine for many years on this server.

cPanel 96.0.15
CentOS 7 3.10.0-962.3.2.lve1.5.52.el7.x86_64

We were able to resolve it by disabling FASTSTART in the CSF Firewall Configuration option

 

[zstergios]

I think same issue here.
Strange things happens after update.

I have many servers.
From server A i ping to server B and unable to connect. I temporary whitelist the serverIP_A to B, and works, but is NOT blocked. I search on csf and iptables. Only if I whitelist the IP works. This cause me issues with many scripts etc.

Can anyone help me?

 

[cPRex]

@zstergios - it would be best to reach out to CSF directly about this issue. Enough people have run into the problem to confirm that there is something odd happening with CSF.

 

[AladdinJ]

I have same problem , But whm latest Version 106.0.9
and centos 7


how you solved your problem ?

 

[AladdinJ]

I have same problem , But whm latest Version 106.0.9
and centos 7


how you solved your problem ?

I solved my problem by disable firewalld

 

[mtindor]

Hey there! To test this on my end, I did the following:

-removed my IP address from the csf.allow file
-ran the "csf -d x.x.x.x" command to block the IP
-confirmed in the output that traffic was dropped

At this point I could still visit all the sites on my server, so I have confirmed the issue.

You'll definitely want to reach out to CSF about this behavior at they may have a more widespread issue happening, but there isn't anything in WHM that would affect this.

Hmm, wouldn't you have to run "csf -r" after removing your IP address from csf.allow in order for the "active" firewall to stop exempting it and thus allow you to subsequently block it with csf -d x.x.x.x ?



m

 

[cPRex]

@mtindor - that's a good point, but we also don't support CSF so there wouldn't be much we could do on our side for this issue.

 

[mtindor]

@mtindor - that's a good point, but we also don't support CSF so there wouldn't be much we could do on our side for this issue.

I wasn't suggesting anybody at cPanel fix anything. But, if there are people reporting issues, it's important to determine who really has issues. For your test, unless you can confirm (or deny) that removing the IP from csf.allow, then executing "csf -r" and then doing "csf -d x.x.x.x" will properly block your IP like it should, nobody knows if you really have an issue or not. I'm leaning towards nonissue. And if you really don't have an issue, you wouldn't want to be pointing the finger at CSF.

After all, how does it feel every time somebody erroneously points the finger at cPanel in public? Not good I'm sure

M

 

[cPRex]

Yeah, but I'm so used to the finger-pointing by now :D

I did the test again with the "csf -r" step and that works as intended, so this seems like a non-issue at this point.