The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP blocked according to logs, but not CSF

Discussion in 'Security' started by Bashed, Jun 23, 2015.

  1. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    So I have CSF installed but CPHulk disabled. For some reason, user can't log into FTP but I was able to. CSF was not blocking his IP either. Then, I checked /var/log/messages and I see below. It looks like his IP was blocked, even though not listed in csf.deny. Where and how is my question. I'm not using any other firewall except CSF. After I whitelisted his IP via csf -a #ipaddress command he was able to log into FTP.

    Code:
    Jun 23 17:59:01 server pure-ftpd: (inst@xxx.xxx.197.170) [INFO] Timeout
    Jun 23 18:04:05 server pure-ftpd: (?@xxx.xxx.197.170) [INFO] New connection from xxx.xxx.197.170
    Jun 23 18:04:06 server pure-ftpd: (?@xxx.xxx.197.170) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher
    Jun 23 18:04:07 server pure-ftpd: (?@xxx.xxx.197.170) [INFO] inst is now logged in
    Jun 23 18:04:08 server kernel: [1931243.372500] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=18:03:73:f2:2d:6a:00:12:01:db:f6:5e:08:00 SRC=xxx.xxx.197.170 DST=xxx.142.11.84 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=405 DF PROTO=TCP SPT=62850 DPT=61380 WINDOW=65535 RES=0x00 SYN URGP=0
    Jun 23 18:04:11 server kernel: [1931246.370306] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=18:03:73:f2:2d:6a:00:12:01:db:f6:5e:08:00 SRC=xxx.xxx.197.170 DST=xxx.142.11.84 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=695 DF PROTO=TCP SPT=62850 DPT=61380 WINDOW=65535 RES=0x00 SYN URGP=0
    Jun 23 18:04:17 server kernel: [1931252.459823] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=18:03:73:f2:2d:6a:00:12:01:db:f6:5e:08:00 SRC=xxx.xxx.197.170 DST=xxx.142.11.84 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=1434 DF PROTO=TCP SPT=62850 DPT=61380 WINDOW=65535 RES=0x00 SYN URGP=0 
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If cphulk blocks the ip in iptables you wouldn't see it in csf.deny. CSF is just a user friendlier interface for iptables, but iptables rules can exist that it doesn't manage. Normally if you have permanant iptables rules configured outside of csf there are scripts/files for that in csf to add those rules so that restarting it does not clear them out.

    In short when you used csf -a it knew to remove the deny rule even though something else created it. A better way to check if an IP is blocked (rather than looking in csf.deny) is to use csf's own command "csf -g $IP" which will check the iptables rules for you.
     
    #2 quizknows, Jun 23, 2015
    Last edited: Jun 23, 2015
  3. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I'm running the usual default Centos 6.6 64bit O/S with cPanel and CSF. First time this has ever happened.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The update for cphulk to ban in iptables rather than just disallow logins is pretty recent.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    This indicates CSF was the culprit. You may want to search the CSF log for this IP address to see if it was blocked in the past:

    Code:
    grep 'IP-Address' /var/log/lfd.log
    Thank you.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Michael, csf -a $IP will clear up an IP whether or not it was CSF that blocked it to begin with. All that indicates is that -something- added an iptables rule for it, not necessarily csf. It could have been cphulk (the most likely culprit) or anything else that added the iptables rule.

    For example, csf -g $IP will show current iptables rules for an IP even if CSF did not add those rules. If OP checked csf.deny and csf -t (temp blocks) and it was not csf blocking the IP, csf -a would still remove the block and allow the IP address through the firewall.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Is "Block IP addresses at the firewall level if they trigger brute force protection" enabled via "WHM Home » Security Center » cPHulk Brute Force Protection" on this system?

    Thank you.
     
Loading...

Share This Page