Firewalls keep getting turned off

[cannon303]

Hi I'm new to this forum so hope i'm posting in the right place. I have a dedicated server with WHM and all accounts have cpanel. It is managed hosting. Lately I have found that a number of accounts have experienced high level of email spam and noticed that cphulk, csf firewalls and spamassassin were all turned off. I havent turned them off so I made sure everything was enabled back the way I want it only to find later that cphulk, csf and spamassassin were all turned off again. This has happened 3 times now in the last 3 weeks. I have changed all passwords but to no avail. Can anyone tell me why all my security facilities keep getting disabled? Is there any bugs that have been reported? My tech support say they haven't changed any settings so who or what could be doing this?

Thanks for your help!

 

[cPanelMichael]

Hello,

Do you notice any entries in the /root/.bash_history file or in /usr/local/cpanel/logs/access_log that suggests the firewall was manually disabled by someone with root access to the system?

Thank you.

 

[cannon303]

Hi thanks for your reply, I'm on managed hosting and have queried this and my tech support said that logs were not recording during this period. They have since enabled access logs. I have seen access logs before so no idea why they would be switched off. Can they be switched off? Sounds strange to me.

 

[rpvw]

v66.0.18

There really should be nothing that deliberately switches off the csf/firewall process.

In case the issue is a technical one (eg the process is/are being killed due to lack of memory etc) go to.....
WHM >> Service Configuration >> Service Manager
......and ensure that lfd, cPHulk Daemon and Apache SpamAssassin is checked in Enabled and Monitor boxes, and that tailwatchd is enabled.

At least the system will monitor and alert you if a process dies, is killed or has been disabled, and will attempt to restart it.

This is not a substitute for ascertaining what is killing the process in the first place. Be vigilant of your log files as suggested by cPanelMichael for any clues.