The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Customers IP is blocked by server

Discussion in 'General Discussion' started by bmcpanel, Mar 27, 2007.

  1. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    WHM 11.0.0 cPanel 11.1-E381
    REDHAT Enterprise 4 i686 - WHM X v3.1.0
    Kernel: 2.6.9-42.0.10.EL

    I have a customer who is being blocked from reaching one of my servers. I run the CSF/LFD firewall, but apparently, the firewall is not blocking him. I have even white listed him in the firewall, but he is still blocked.

    I used the delete command to remove the IP from route just in case, but the IP was not found so that is not the issue....

    /sbin/route delete -host x.x.x.x

    I checked to see if his IP was blocked in one of the RBL lists that CSF uses, but his IP is clear, so that is also not the problem.

    The logs show no instance of his IP at all, so he is not getting to the server. /var/log/lfd.log shows no instance of his IP at all.

    I have rebooted the server. However, he still cannot access. He CAN access other servers we have with EV1/The Planet, so the problem seems localized on this server. Other people can access this server also.

    Can anyone offer any suggestion as to what else might be going on. This has me perplexed. :(
     
  2. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Are you running DDOS or spddos? If so, they may be the ones blocking it. SPDDOS keeps the ips in a tmplist file in /usr/local/spddos.
     
  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    You have been making the assumption that your server is blocking the customer
    but it is just as likely that the customer's own computer at home is blocking him
    from reaching your server.

    It's actually fairly easy to accidentally block yourself with most firewall applications ...

    If the customer has a firewall running (even the ones built into XP or Vista) and
    attempts to upload files to his hosting account with you by FTP, his own firewall
    could incorrectly misinterpret the outbound FTP connection as an incoming
    hacker attack and block the IP to your server locally if the customer fails to
    put his FTP client program into PASSIVE MODE before making the connection.

    At this point, the customer will no longer be able to access your server until
    he either disables his firewall on his computer or clears the IP block out of it.
     
  4. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    No, not running either of those.
     
  5. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    He says he tested it with his firewall off. It is not his firewall.
     
  6. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    There is a chance it's not his IP that is blocked, by one of the IP's on route to you.

    Get a traceroute from him, and do one from your server.

    The other option is dump your firewalls deny file and see if then works, then you know it is an ip in the deny and you can then hopefully figure out which one it is.
     
  7. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I believe you may have something there. I will study the trace routes to and from and let you know.
     
  8. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Traceroute seems fine but dies in the EV1 network.

    17 389 ms 371 ms 370 ms ivhou-207-218-245-29.ev1servers.net [207.218.245.29]

    18 406 ms 386 ms 372 ms ivhou-207-218-223-106.ev1servers.net [207.218.223.106]

    19 * * * Request timed out.

    20 * * * Request timed out.
     
  9. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    That looks fine. Not all servers will allow pings and such to prevent malicious activity.

    See if he can ping your server directly from his command line. If not, see if he can access other servers at EV1. Perhaps someone may know this, EV1 may manage their own in house blacklist. You could also check with them to find out. I had the same problem with a client and my DC did in fact manage their own blacklist. Someone from their provider was not playing nice .
     
  10. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Interesting... the client can now see his site in a web browser, but is unable to POP his email still... I did find this in the /var/log/messages log file when I did a search on his IP ...

    Mar 26 01:19:26 ns or connections: warning: /etc/hosts.allow, line 8: can't verify hostname: getaddrinfo(251-111-251-111.dyn.ver.customerisp.net, AF_INET) failed

    (Looks like our server cannot do a dns lookup on his IP???)
     
  11. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Mar 29 17:17:21 ns or connections: warning: /etc/hosts.allow, line 8: can't verify hostname: getaddrinfo(client-247.155.103.233.example.net, AF_INET) failed

    In reference to the /etc/hosts.allow being mentioned in the /var/log/messages file, I have never noticed such a thing in my logs before. So, I opened up both /etc/hosts.allow and /etc/hosts.deny. In hosts.allow, their IP was not listed there as allowed, however, in hosts.deny, I have it listed as blank with no rules there, so they were not being blocked by any type of rules in the deny file. So, I don't know why the hosts.allow has come into play here....

    Anyway, since /etc/hosts.allow was being referenced as an error in the log, I thought I would add them in the file as accepted just to see what happens.... so, in /etc/hosts.allow, I entered....

    ALL: .example.net

    (Note, I opened up the access just a bit in case they have a dynamic IP)

    Anyway, this did stop the /etc/hosts.allow error, but the customer still cannot access the server. But now, I am getting a different error....

    Mar 29 17:49:51 ns kernel: martian source 99.100.99.100 from 247.155.103.233, on dev eth0
    Mar 29 17:49:51 ns kernel: ll header: 00:11:dc:dd:00:30:00:0b:db:6a:89:50:07:00

    I read a bit about Martian Source errors, found out it was kernel related. Someone suggested the customer do a traceroute again - which he did. I noticed right away that their LOCAL ip was listed in the beginning of the traceroute which, I believe, is a protocol violation concerning their ISP or router...

    Ex. Trace
    Quote:
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settingsy>tracert myserver.com

    Tracing route to hostsonic.com [207.44.111.111]
    over a maximum of 30 hops:

    1 3 ms 1 ms 1 ms 192.168.1.1
    2 8 ms 7 ms 7 ms 209-102-172-1.customerisp.net [219.112.172.1]
    3 9 ms 7 ms 7 ms 216-166-216-137.customerisp.net [206.136.216.137]
    4 46 ms 47 ms 45 ms atlnga-host-jum160-01.madison.net [166.79.54
    .253]
    5 47 ms 46 ms 46 ms border3.g3-2.madison-3.ext1.dal.pnap.net [2
    16.152.189.137]
    6 49 ms 45 ms 45 ms core2.tge5-1-bbnet1.ext1.dal.pnap.net [216.152.119
    .133]
    7 45 ms 46 ms 45 ms ge-2-2.r03.dllstx09.us.bb.gin.ntt.net [157.238.2
    24.5]
    8 46 ms 49 ms 46 ms xe-2-0-0.r21.dllstx09.us.bb.gin.ntt.net [139.250
    .3.225]
    9 51 ms 50 ms 51 ms p64-1-1-0.r21.hstntx01.us.bb.gin.ntt.net [129.25
    0.40.69]
    10 50 ms 51 ms 54 ms xe-4-1.r04.hstntx01.us.bb.gin.ntt.net [129.230.2
    .231]
    11 53 ms 53 ms 54 ms ge-0.ev1.hstntx01.us.bb.gin.ntt.net [129.230.10.
    66]
    12 51 ms 53 ms 51 ms ivhou-207-218-245-177.ev1servers.net [207.218.245
    .177]
    13 60 ms 51 ms 59 ms ivhou-207-218-223-177.ev1servers.net [207.218.22
    3.177]
    14 * * * Request timed out.
    C:\Documents and Settings>

    It appears that this points to a problem with the client's isp or router.?.?
    http://www.freesoft.org/CIE/RFC/1812/123.htm

    Does anyone have any suggestions for me on how to resolve this issue?
     
  12. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Good advice. This doesn't seem to be a blacklist issue by the data center as the customer can reach other servers on the same network. So, they are getting through to the network, just not to this one particular server. It is perplexing.
     
Loading...

Share This Page