Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Firewall configuration file changed?

Discussion in 'Security' started by jazee, Mar 2, 2019.

Tags:
  1. jazee

    jazee Well-Known Member

    Joined:
    Jan 12, 2015
    Messages:
    93
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I've been running WHM/Cpanel on Servers For at least 12 years along with CSF/LFD. Yesterday all of the sudden the server wouldn't accept WHM connection on port 2087. I immediately tried bringing it up on my mobile phone to see if for some reason by connecting from my hotel the system had auto blocked the IP. Nope, was blocking external access to the port, not IP specific. Had made no config changes on the server WHATSOEVER.
    For the heck of it I moved CSF to a different directory and re-installed. Works fine. But after a while (guessing couple hours or so) the csf.conf file is modified and those IP addresses listed in the subject of this thread are removed from the Allow TCP ports
    Again I made no changes to anything on the server at any level (iptables, WHM settings, CSF/LFD settings)

    It was the middle of the afternoon so a system update shouldn't have happened.

    This is the ports csf.conf file that csf installs with
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096"
    TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"

    This is what the file changes to by itself an hour or two later without me doing anything:
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,1027,2077,2078,2083,2095,2096,3306"
    TCP_OUT = "20,22,21,25,37,43,53,80,110,113,443,587,873,993,995,1027,2089,2703,3306,2077,2078"

    What could be modifying the port configuration?

    I'm on WHM 78.0.13

    AGAIN.. IT'S NOT AN IP SPECIFIC BLOCK (CSF.DENY file)
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @jazee,

    cPanel & WHM should not modify the /etc/csf/csf.conf file. You could utilize the auditd utility to monitor that file to see what process is modifying it. We offer a tutorial on how to use the auditd utility on the link below:

    Tutorial - Auditd - The Linux Auditing System

    Let me know if this helps.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice