Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW on

nwtg

Active Member
Dec 24, 2010
34
0
56
Portland, Oregon
cPanel Access Level
Root Administrator
Good evening!

Last night I tuned up CSF/LFD a little, in the hopes of further deflecting a small bit of failed relay attempts. While my adjustments successfully halted the activity, I began receiving an email every 10 minutes indicating that an I.P. belonging to my home-office computer was banned yet I was able to move around all areas without failure.

I have added my /29 to csf.ignore and verified that the IGNORE_ALLOW value in the csf.conf is set as enabled. The IP in question was added to the allow file through WHM ages ago (I tried adding it and received a message that it had been listed previously). I've also restarted LFD a time or two following this addition to be on the safe side. The false-positive emails are still rolling in, and I'm connected and working in SSH, WHM, FTP, Apache, and Exim.

I find this perplexing since I was in my business office all day, using a system with a static IP that's also set in the csf.allow, and received no instances of this email whatsoever. I came home to work a bit more and these began to roll in. I think we're up to about 15 of them, now.

Side note: I did switch update tiers from CURRENT to RELEASE this evening, and ran a upcp --force as I do whenever I change anything update-related.

This is an OpenVZ container residing on one of my SolusVM slaves. I've emailed one of my clients running in an almost identical configuration on the same slave to see if he can replicate the issue based on the tweaks I made.

Should I involve the folks at ConfigServer/Way To The Web? Is this worthy of opening a cPanel support ticket, perhaps? Has such an issue been reported in the past?

I've been extremely busy and have an overnight deployment beginning soon, so my Google searches and skims through the ConfigServer forums have been brief, so far.

If anyone's seen this before I'd love to know if I missed a setting or if this is happening to someone besides me. Otherwise I'll just roll back and start again.

Thanks for listenin'

John
cPU #ycng-050617
 

nwtg

Active Member
Dec 24, 2010
34
0
56
Portland, Oregon
cPanel Access Level
Root Administrator
Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

Yes, this is their product, not cPanel's of course.
Of course. I figured I'd start here since the headers look to me like cPanel might have generated the message. http://nwtg.co/headers.jpg - the mailer-agent matches other messages sent from [email protected] and [email protected] and doesn't identify itself as being sent by csf/lfd.

Anyhow, in the event that someone needs it in the future, I checked the logs and it looks to have happened because the cpanel/whm SMTP restrictions were running while CSF's SMTP_BLOCK was enabled. Evidently the WHM SMTP tweak stops working when CSF is enabled, so yeh, regardless of the headers, the bulk of the issue lies with them. :)

Thx


John
cPU #ycng-050617
 

nwtg

Active Member
Dec 24, 2010
34
0
56
Portland, Oregon
cPanel Access Level
Root Administrator
Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

Banned, or Blocked?
Here's a copy of what I received.
----
Banned the following ip addresses on Mon Oct 29 23:15:01 PDT 2012
00.000.00.000 with 658 connections
----
Below is an exigrep output with time stamps. Each instance is roughly 10-12 mins apart respectively. Currently, cPHulk's minimum protection threshold is set to 15 minutes. When you factor a couple minutes between the trigger, generation of the message, sending/delivery, it's probably right around the 15 minute mark, which to me suggests cPHulk as the catalyst.

http://nwtg.co/exigrep.txt

However, in the case of past cpHulk alerts, I'm generally used to seeing
"Large number of failed login attempts to account foo (daemon) -- Large number of attempts from this IP: xxx.xx.xxx.xxx" with the cphulkd blacklist/whitelist URL's attached to the message.

I haven't been able to go through the entire list of changes in 11.34(.0.6-release on this CT) but was planning to review them in the afternoon. Also I don't recall Mailx...err...nail....whatever it's called now, being used prior to 11.34, but please correct me if I'm wrong.

Hope this helps
 
Last edited:

Infopro

Well-Known Member
May 20, 2003
17,085
521
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

Emails from LFD have titles like this example:

lfd on host.domain.name.com: so.me.ip.goes.here (attackers host details here) blocked with too many connections
Whats the title of your email say?

Do you have cPHulk Brute Force Protection enabled? If yes, have you added your IP to the whitelist?
 

nwtg

Active Member
Dec 24, 2010
34
0
56
Portland, Oregon
cPanel Access Level
Root Administrator
Re: Receiving false-pos. banned IP email, set in csf.ignore - IGNORE_ALLOW

The subject line reads "IP addresses banned on Mon Oct 29 20:14:01 PDT 2012"
cPHulk has been running for some time now. The IP in question is whitelisted. There's only one instance of a failed login blocked by cpHulk. Timestamp 2012-10-27 00:48:23 nothing else.

LFD kicked off an email much earlier this morning. The subject line in this instance reads the familiar; "lfd on onopordon.domain.com: blocked 200.250.29.98 (BR/Brazil/-)"