IP blocked

[Skin]

Hello,
one of my clients is not able to reach his site hosted on a personal vps ( CENTOS 6.5 WHM 11.42.0 build 20)

I've white listed their ip address in csf firewall, but it worked for a few hours; I've also tried to completely ( and temporarily ) disable the firewall, but they still are unable to see the site or read their e-mails.

They can see other sites and they tried to reach my vps from different pc in the same network but with no luck.

I asked them to clear the browser cache and flush dns but looks like their ip is still blocked.

Looking in WHM » Home »Security Center »cPHulk Brute Force Protection Login/Brute History Report is completely cleared, there are not entries ( this is strange because I receive a lot of daily e-mail alerts ).

So my firewall is not blocking their ip and their ip is not in cPHulk Blocked IPs, what can I do?

 

[Infopro]

First, you should remove them from the whitelist and be sure your firewall is enabled. You could disable cPHulk for now until you sort this out of course.

CSF should be alerting you when anyone gets blocked. If it's not CSF blocking them, it might be mod security, but CSF should be alerting you to those as well.

You might ask them for the IP and check your logs a bit closer for clues.

If that users computer is infected for example and attempting to do something its not supposed to be doing, whitelisting them gives them a green light to do whatever. Don't do that.

 

[Skin]

Hello, thanks for your reply: I' ve just removed their ip from the whitelist.

In csf.syslogs I can find only a report for the ip adress :

Mar 10 16:18:47 host2 lfd[13600]: (pop3d) Failed POP3 login from XXX.XXX.XXX.XXX (IT/Italy/hostxxx-xx-static.xx-xxx-b.business.telecomitalia.it): 10 in the last 3600 secs - *Blocked in csf* [LF_POP3D]

They simply changed one pc and may be they misspelled the e-mail password, but I've no other entries for their ip in csf.syslogs.

Looks like their ip is not listed by cPHulk, is it the correct method to check?

mysql -e "select * from cphulkd.brutes" | grep XXX.XXX.XXX.XXX
mysql -e "select * from cphulkd.blacklist" | grep XXX.XXX.XXX.XXX

 

[quizknows]

CSF should be alerting you when anyone gets blocked. If it's not CSF blocking them, it might be mod security, but CSF should be alerting you to those as well.

Modsec will not block IPs in iptables unless you have a custom rule that does so, or you are using CSF with LF_MODSEC enabled.

I agree with not whitelisting them until you figure out what's going on.

Just check:

csf -g $IP

csf -g is csf grep, it'll check any temp blocks and iptables rules. Alternately:

iptables -L -n |grep $ip

also check

grep $ip /var/log/lfd.log

 

[Infopro]

Modsec will not block IPs in iptables unless you have a custom rule that does so, or you are using CSF with LF_MODSEC enabled.

...

Correct, and your point is?

 

[Skin]

....
Just check:

csf -g $IP

csf -g is csf grep, it'll check any temp blocks and iptables rules. Alternately:

iptables -L -n |grep $ip

also check

grep $ip /var/log/lfd.log

Hello, the first two commands give no results : actually in the firewal there aren't rules regarding the ip adress.

In lfd.log I've an entry:

root@host2 [~]# grep xxx.xx.xx.xxx /var/log/lfd.log
Mar 10 16:18:47 host2 lfd[13600]: (pop3d) Failed POP3 login from xxx.xx.xx.xx (IT/Italy/hostxxx-xx-static.xx-xxx-b.business.telecomitalia.it): 10 in the last 3600 secs - *Blocked in csf* [LF_POP3D]

It is strange because the ip is still somewhere blocked, they still can't access my vps and my hosting providers have checked and ensured that the IP is not blocked anywhere in their ACL.

 

[quizknows]

Your hosting provider may have missed something.

As a final check before you go further try to 'ping' your customers IP. It may not work (it may timeout) but if it's actually blocked in your firewall you'd get something like ping:SENDMSG not permitted.

Anyway, if you at least don't get "ping:SENDMSG not permitted." then you will have to have your customer do a traceroute toward your ip.

See if the traceroute makes it to your hosting providers equipment or not. If it does, provide your host with the full traceroute so they can troubleshoot.

 

[Skin]

My client made a trecert to my vps:lLook like he is able to arrive in to my hosting provider, but he is somewhere blocked.

 

[quizknows]

The DIST routers are the last hop before your server itself. It really should be making it to your server. If LiquidWeb was blocking the IP then it would not make it to the DIST router.

Have the technicians check your firewall config on the server for you, possibly disable / re-enable the firewall.

 

[quizknows]

Correct, and your point is?

My point is that you said " If it's not CSF blocking them, it might be mod security "

I wanted to clarify that ModSecurity does not block IP addresses in iptables on it's own, as your statement made it sound like it could.

Obviously you know how lf_modsec works, but the wording may have been confusing to someone who does not, that's all