IP being blocked in firewall - not showing up in lfd.log

markhubert

Member
Jan 7, 2007
8
0
151
So something on me network is triggering a permanent block on our server. I've searched all the logs in csf.syslog as well as cHulk tools and there's no sign of our public IP.

I do a Quick Unblock of the IP via my cell data network (and get confirmation that the IP was in the permanent block rules....

Any suggestions on where else to look to see what's triggering this would be greatly appreciated.

Mark
 

markhubert

Member
Jan 7, 2007
8
0
151
Yes, that's what I thought. As stated above, searching that log, the IP in question does not show up.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,768
322
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
You hadn't mentioned lfd.log specifically which is why I mentioned it.

If its blocked again, before you unblock it, look at the /etc/csf/csf.deny file as the reason will generally be stuck in there as a comment as well.
 
  • Like
Reactions: cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,250
463
Hello @markhubert,

Let us know if the information in the previous post helps.

Thank you.
 

easy-hosting

Member
Jan 21, 2015
13
1
53
cPanel Access Level
Root Administrator
We are getting the same issue on our cPanel server. One of our customers (a Reseller) is travelling around Asia and using ExpressVPN. For some reason half the time he is unable to access his services with us. 2 out of the 4 IP Addresses weren't able to connect and nothing was getting logged anywhere on our server for them (as in no connection attempt was made). The other 2 were connecting successfully.

Now the same thing appears to be happening for one his clients on 2 separate IP Addresses. There is nothing in the logs showing that they even tried to connect and nothing showing they had been blocked.

Gone through the logs for the system, cPanel, CSF/LFD, cPHulk and Mod Security.

Any suggestions on what else to check, or what the issue could be would be greatly appreciated.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
470
113
UK
cPanel Access Level
Root Administrator
Are the connections being attempted using the IP address or a domain name ?

If they used the IP address, I would have expected to see it making a connection attempt; assuming there were no network issues preventing the connection request reaching your server.

If they use a domain name request, this obviously relies on a DNS response which complicates the connection.

A consideration may be that a/the carrier is blocking access for some reason - maybe they experienced something that caused the IP to be placed on a blocklist or maybe the VPN is not performing as they expect it to, or perhaps there is a QOS policy interfering with the connection.

Since you are seeing nothing at your end, I suspect you will only get to the bottom of this if the connecting computer can run or access some software that will produce hard data as to what is happening from their end

You might also try and enlist the cooperation of the data centre operations where your server is located. They should have much more access, and advanced resources, to trace connection attempts to your server travelling through their network infrastructure.