The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP blocked

Discussion in 'Security' started by Skin, Mar 11, 2014.

  1. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    Hello,
    one of my clients is not able to reach his site hosted on a personal vps ( CENTOS 6.5 WHM 11.42.0 build 20)

    I've white listed their ip address in csf firewall, but it worked for a few hours; I've also tried to completely ( and temporarily ) disable the firewall, but they still are unable to see the site or read their e-mails.

    They can see other sites and they tried to reach my vps from different pc in the same network but with no luck.

    I asked them to clear the browser cache and flush dns but looks like their ip is still blocked.

    Looking in WHM » Home »Security Center »cPHulk Brute Force Protection Login/Brute History Report is completely cleared, there are not entries ( this is strange because I receive a lot of daily e-mail alerts ).

    So my firewall is not blocking their ip and their ip is not in cPHulk Blocked IPs, what can I do?
     
    #1 Skin, Mar 11, 2014
    Last edited: Mar 11, 2014
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    First, you should remove them from the whitelist and be sure your firewall is enabled. You could disable cPHulk for now until you sort this out of course.

    CSF should be alerting you when anyone gets blocked. If it's not CSF blocking them, it might be mod security, but CSF should be alerting you to those as well.

    You might ask them for the IP and check your logs a bit closer for clues.

    If that users computer is infected for example and attempting to do something its not supposed to be doing, whitelisting them gives them a green light to do whatever. Don't do that.
     
  3. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    Hello, thanks for your reply: I' ve just removed their ip from the whitelist.

    In csf.syslogs I can find only a report for the ip adress :
    Code:
    Mar 10 16:18:47 host2 lfd[13600]: (pop3d) Failed POP3 login from XXX.XXX.XXX.XXX (IT/Italy/hostxxx-xx-static.xx-xxx-b.business.telecomitalia.it): 10 in the last 3600 secs - *Blocked in csf* [LF_POP3D]
    They simply changed one pc and may be they misspelled the e-mail password, but I've no other entries for their ip in csf.syslogs.

    Looks like their ip is not listed by cPHulk, is it the correct method to check?
    Code:
    mysql -e "select * from cphulkd.brutes" | grep XXX.XXX.XXX.XXX
    mysql -e "select * from cphulkd.blacklist" | grep XXX.XXX.XXX.XXX
    
     
    #3 Skin, Mar 11, 2014
    Last edited: Mar 11, 2014
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Modsec will not block IPs in iptables unless you have a custom rule that does so, or you are using CSF with LF_MODSEC enabled.

    I agree with not whitelisting them until you figure out what's going on.

    Just check:
    Code:
    csf -g $IP   
    csf -g is csf grep, it'll check any temp blocks and iptables rules. Alternately:

    Code:
    iptables -L -n |grep $ip 
    also check

    Code:
    grep $ip /var/log/lfd.log 
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Correct, and your point is?
     
  6. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    Hello, the first two commands give no results : actually in the firewal there aren't rules regarding the ip adress.

    In lfd.log I've an entry:

    Code:
    root@host2 [~]# grep xxx.xx.xx.xxx /var/log/lfd.log
    Mar 10 16:18:47 host2 lfd[13600]: (pop3d) Failed POP3 login from xxx.xx.xx.xx (IT/Italy/hostxxx-xx-static.xx-xxx-b.business.telecomitalia.it): 10 in the last 3600 secs - *Blocked in csf* [LF_POP3D]
    
    
    It is strange because the ip is still somewhere blocked, they still can't access my vps and my hosting providers have checked and ensured that the IP is not blocked anywhere in their ACL.
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Your hosting provider may have missed something.

    As a final check before you go further try to 'ping' your customers IP. It may not work (it may timeout) but if it's actually blocked in your firewall you'd get something like ping:SENDMSG not permitted.

    Anyway, if you at least don't get "ping:SENDMSG not permitted." then you will have to have your customer do a traceroute toward your ip.

    See if the traceroute makes it to your hosting providers equipment or not. If it does, provide your host with the full traceroute so they can troubleshoot.
     
  8. Skin

    Skin Well-Known Member

    Joined:
    Feb 3, 2006
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Italy
    My client made a trecert to my vps:lLook like he is able to arrive in to my hosting provider, but he is somewhere blocked.
     

    Attached Files:

    #8 Skin, Mar 12, 2014
    Last edited: Mar 12, 2014
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The DIST routers are the last hop before your server itself. It really should be making it to your server. If LiquidWeb was blocking the IP then it would not make it to the DIST router.

    Have the technicians check your firewall config on the server for you, possibly disable / re-enable the firewall.
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    My point is that you said " If it's not CSF blocking them, it might be mod security "

    I wanted to clarify that ModSecurity does not block IP addresses in iptables on it's own, as your statement made it sound like it could.

    Obviously you know how lf_modsec works, but the wording may have been confusing to someone who does not, that's all :)
     
    #10 quizknows, Mar 12, 2014
    Last edited: Mar 12, 2014
Loading...

Share This Page