The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW on

Discussion in 'Security' started by nwtg, Oct 30, 2012.

  1. nwtg

    nwtg Active Member

    Joined:
    Dec 24, 2010
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Portland, Oregon
    cPanel Access Level:
    Root Administrator
    Good evening!

    Last night I tuned up CSF/LFD a little, in the hopes of further deflecting a small bit of failed relay attempts. While my adjustments successfully halted the activity, I began receiving an email every 10 minutes indicating that an I.P. belonging to my home-office computer was banned yet I was able to move around all areas without failure.

    I have added my /29 to csf.ignore and verified that the IGNORE_ALLOW value in the csf.conf is set as enabled. The IP in question was added to the allow file through WHM ages ago (I tried adding it and received a message that it had been listed previously). I've also restarted LFD a time or two following this addition to be on the safe side. The false-positive emails are still rolling in, and I'm connected and working in SSH, WHM, FTP, Apache, and Exim.

    I find this perplexing since I was in my business office all day, using a system with a static IP that's also set in the csf.allow, and received no instances of this email whatsoever. I came home to work a bit more and these began to roll in. I think we're up to about 15 of them, now.

    Side note: I did switch update tiers from CURRENT to RELEASE this evening, and ran a upcp --force as I do whenever I change anything update-related.

    This is an OpenVZ container residing on one of my SolusVM slaves. I've emailed one of my clients running in an almost identical configuration on the same slave to see if he can replicate the issue based on the tweaks I made.

    Should I involve the folks at ConfigServer/Way To The Web? Is this worthy of opening a cPanel support ticket, perhaps? Has such an issue been reported in the past?

    I've been extremely busy and have an overnight deployment beginning soon, so my Google searches and skims through the ConfigServer forums have been brief, so far.

    If anyone's seen this before I'd love to know if I missed a setting or if this is happening to someone besides me. Otherwise I'll just roll back and start again.

    Thanks for listenin'

    John
    cPU #ycng-050617
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW


    Yes, this is their product, not cPanel's of course.
     
  3. nwtg

    nwtg Active Member

    Joined:
    Dec 24, 2010
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Portland, Oregon
    cPanel Access Level:
    Root Administrator
    Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

    Of course. I figured I'd start here since the headers look to me like cPanel might have generated the message. http://nwtg.co/headers.jpg - the mailer-agent matches other messages sent from root@ and cpanel@ and doesn't identify itself as being sent by csf/lfd.

    Anyhow, in the event that someone needs it in the future, I checked the logs and it looks to have happened because the cpanel/whm SMTP restrictions were running while CSF's SMTP_BLOCK was enabled. Evidently the WHM SMTP tweak stops working when CSF is enabled, so yeh, regardless of the headers, the bulk of the issue lies with them. :)

    Thx


    John
    cPU #ycng-050617
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

    Banned, or Blocked?

    Emails from CSF/LFD are different emails than cPHulk Brute Force Protection for example.
     
  5. nwtg

    nwtg Active Member

    Joined:
    Dec 24, 2010
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Portland, Oregon
    cPanel Access Level:
    Root Administrator
    Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

    Here's a copy of what I received.
    ----
    Banned the following ip addresses on Mon Oct 29 23:15:01 PDT 2012
    00.000.00.000 with 658 connections
    ----
    Below is an exigrep output with time stamps. Each instance is roughly 10-12 mins apart respectively. Currently, cPHulk's minimum protection threshold is set to 15 minutes. When you factor a couple minutes between the trigger, generation of the message, sending/delivery, it's probably right around the 15 minute mark, which to me suggests cPHulk as the catalyst.

    http://nwtg.co/exigrep.txt

    However, in the case of past cpHulk alerts, I'm generally used to seeing
    "Large number of failed login attempts to account foo (daemon) -- Large number of attempts from this IP: xxx.xx.xxx.xxx" with the cphulkd blacklist/whitelist URL's attached to the message.

    I haven't been able to go through the entire list of changes in 11.34(.0.6-release on this CT) but was planning to review them in the afternoon. Also I don't recall Mailx...err...nail....whatever it's called now, being used prior to 11.34, but please correct me if I'm wrong.

    Hope this helps
     
    #5 nwtg, Oct 30, 2012
    Last edited: Oct 30, 2012
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

    Emails from LFD have titles like this example:

    Whats the title of your email say?

    Do you have cPHulk Brute Force Protection enabled? If yes, have you added your IP to the whitelist?
     
  7. nwtg

    nwtg Active Member

    Joined:
    Dec 24, 2010
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Portland, Oregon
    cPanel Access Level:
    Root Administrator
    Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

    The subject line reads "IP addresses banned on Mon Oct 29 20:14:01 PDT 2012"
    cPHulk has been running for some time now. The IP in question is whitelisted. There's only one instance of a failed login blocked by cpHulk. Timestamp 2012-10-27 00:48:23 nothing else.

    LFD kicked off an email much earlier this morning. The subject line in this instance reads the familiar; "lfd on onopordon.domain.com: blocked 200.250.29.98 (BR/Brazil/-)"
     
Loading...

Share This Page