IP blocked according to logs, but not CSF

Bashed

Well-Known Member
Dec 18, 2013
146
4
68
cPanel Access Level
Root Administrator
So I have CSF installed but CPHulk disabled. For some reason, user can't log into FTP but I was able to. CSF was not blocking his IP either. Then, I checked /var/log/messages and I see below. It looks like his IP was blocked, even though not listed in csf.deny. Where and how is my question. I'm not using any other firewall except CSF. After I whitelisted his IP via csf -a #ipaddress command he was able to log into FTP.

Code:
Jun 23 17:59:01 server pure-ftpd: ([email protected]) [INFO] Timeout
Jun 23 18:04:05 server pure-ftpd: ([email protected]) [INFO] New connection from xxx.xxx.197.170
Jun 23 18:04:06 server pure-ftpd: ([email protected]) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher
Jun 23 18:04:07 server pure-ftpd: ([email protected]) [INFO] inst is now logged in
Jun 23 18:04:08 server kernel: [1931243.372500] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=18:03:73:f2:2d:6a:00:12:01:db:f6:5e:08:00 SRC=xxx.xxx.197.170 DST=xxx.142.11.84 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=405 DF PROTO=TCP SPT=62850 DPT=61380 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 23 18:04:11 server kernel: [1931246.370306] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=18:03:73:f2:2d:6a:00:12:01:db:f6:5e:08:00 SRC=xxx.xxx.197.170 DST=xxx.142.11.84 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=695 DF PROTO=TCP SPT=62850 DPT=61380 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 23 18:04:17 server kernel: [1931252.459823] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=18:03:73:f2:2d:6a:00:12:01:db:f6:5e:08:00 SRC=xxx.xxx.197.170 DST=xxx.142.11.84 LEN=48 TOS=0x00 PREC=0x00 TTL=51 ID=1434 DF PROTO=TCP SPT=62850 DPT=61380 WINDOW=65535 RES=0x00 SYN URGP=0
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
If cphulk blocks the ip in iptables you wouldn't see it in csf.deny. CSF is just a user friendlier interface for iptables, but iptables rules can exist that it doesn't manage. Normally if you have permanant iptables rules configured outside of csf there are scripts/files for that in csf to add those rules so that restarting it does not clear them out.

In short when you used csf -a it knew to remove the deny rule even though something else created it. A better way to check if an IP is blocked (rather than looking in csf.deny) is to use csf's own command "csf -g $IP" which will check the iptables rules for you.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
After I whitelisted his IP via csf -a #ipaddress command he was able to log into FTP.
Hello :)

This indicates CSF was the culprit. You may want to search the CSF log for this IP address to see if it was blocked in the past:

Code:
grep 'IP-Address' /var/log/lfd.log
Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Michael, csf -a $IP will clear up an IP whether or not it was CSF that blocked it to begin with. All that indicates is that -something- added an iptables rule for it, not necessarily csf. It could have been cphulk (the most likely culprit) or anything else that added the iptables rule.

For example, csf -g $IP will show current iptables rules for an IP even if CSF did not add those rules. If OP checked csf.deny and csf -t (temp blocks) and it was not csf blocking the IP, csf -a would still remove the block and allow the IP address through the firewall.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
I'm running the usual default Centos 6.6 64bit O/S with cPanel and CSF. First time this has ever happened.
Is "Block IP addresses at the firewall level if they trigger brute force protection" enabled via "WHM Home » Security Center » cPHulk Brute Force Protection" on this system?

Thank you.