IP being blocked in firewall - not showing up in lfd.log

markhubert

• October 27, 2018 10:10

So something on me network is triggering a permanent block on our server. I've searched all the logs in csf.syslog as well as cHulk tools and there's no sign of our public IP. I do a Quick Unblock of the IP via my cell data network (and get confirmation that the IP was in the permanent block rules.... Any suggestions on where else to look to see what's triggering this would be greatly appreciated. Mark

• 

  GOT

  • October 27, 2018 15:11

  It should be getting logged to /var/log/lfd.log

  0
• 

  markhubert

  • October 27, 2018 15:56

  Yes, that's what I thought. As stated above, searching that log, the IP in question does not show up.

  0
• 

  GOT

  • October 27, 2018 18:48

  You hadn't mentioned lfd.log specifically which is why I mentioned it. If its blocked again, before you unblock it, look at the /etc/csf/csf.deny file as the reason will generally be stuck in there as a comment as well.

  0
• 

  cPanelMichael

  • October 29, 2018 17:25

  Hello @markhubert, Let us know if the information in the previous post helps. Thank you.

  0
• 

  easy-hosting

  • November 11, 2018 07:43

  We are getting the same issue on our cPanel server. One of our customers (a Reseller) is travelling around Asia and using ExpressVPN. For some reason half the time he is unable to access his services with us. 2 out of the 4 IP Addresses weren't able to connect and nothing was getting logged anywhere on our server for them (as in no connection attempt was made). The other 2 were connecting successfully. Now the same thing appears to be happening for one his clients on 2 separate IP Addresses. There is nothing in the logs showing that they even tried to connect and nothing showing they had been blocked. Gone through the logs for the system, cPanel, CSF/LFD, cPHulk and Mod Security. Any suggestions on what else to check, or what the issue could be would be greatly appreciated.

  0
• 

  rpvw

  • November 11, 2018 08:35

  Are the connections being attempted using the IP address or a domain name ? If they used the IP address, I would have expected to see it making a connection attempt; assuming there were no network issues preventing the connection request reaching your server. If they use a domain name request, this obviously relies on a DNS response which complicates the connection. A consideration may be that a/the carrier is blocking access for some reason - maybe they experienced something that caused the IP to be placed on a blocklist or maybe the VPN is not performing as they expect it to, or perhaps there is a QOS policy interfering with the connection. Since you are seeing nothing at your end, I suspect you will only get to the bottom of this if the connecting computer can run or access some software that will produce hard data as to what is happening from their end You might also try and enlist the cooperation of the data centre operations where your server is located. They should have much more access, and advanced resources, to trace connection attempts to your server travelling through their network infrastructure.

  0
• 

  dalem

  • November 11, 2018 15:14

  are you using some other brute force system IE: DDoS deflate comes to mind (it does not log to the lfd log) it just adds manually denied to the csf.deny

  0

Please sign in to leave a comment.