Let's Encrypt and "strange" tcp connections

[email protected]

Well-Known Member
Aug 3, 2016
52
5
8
Everywhere
cPanel Access Level
Root Administrator
Hello,

I have let's encrypt for cPanel SSL for my cPanel users.

I check (about 1 week now) the connections of my server and I see connections to
akamaitechnologies from Ip's that seems (as I search) that are from Let's Encrypt.

Yesterday I receive a message from my CSF firewall for a temporary block for [CT_LIMIT] reason of an IP that made 551 TCP connections... I search the IP and I fount it here

Code:
The IP is: 2.20.190.17
My block alert is:

Code:
IP:          2.20.190.17 (a2-20-190-17.deploy.static.akamaitechnologies.com)
Connections: 551
Blocked:     Temporary Block for 1800 seconds [CT_LIMIT]

Connections:
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:48746 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49658 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49164 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49826 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:48604 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49758 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49158 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49200 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49736 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:48424 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49152 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:50196 (ESTABLISHED)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49642 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49120 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:50124 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:48610 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:50034 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49144 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:48504 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:48668 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49062 (TIME_WAIT)
tcp: 2.20.190.17:80 -> xxx.xxx.xxx.xxx:49858 (TIME_WAIT)

etc....
Is that something that cPanel with option let's encypt SSL should do? Is that normal behavior or not?

Any advice is highly appreciated!
Thank you!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,203
363
Hello,

It's normal to see the TCP connections from Comodo or Let's Encrypt. It's from the domain validation attempts by those certificate providers. That said, 551 connections in a short time frame seems excessive. Can you review the "Logs" tab in "WHM >> Manage AutoSSL" to determine if those connections correspond to a large number of AutoSSL validation attempts for new domain names (or renewed certificates for existing domain names)?

Thank you.