Firewall CC_Deny blocks spammers but also WHM updates

seenBEST

• June 05, 2021 00:24

I was getting blasted with SPAM through website forms, despite having Captchas in place and other security measures. I was able to analyze the log files over the course of a month and found that the vast majority of form submission SPAM was coming from just 3 ASN. I blocked these 3 ASN in CC_DENY after extensive research: AS36352 ColoCrossing AS55286 Server Mania AS60068 Datacamp Luckily after adding those 3 ASN to CC_DENY literally every single web form SPAM stopped. However, a bigger problem developed in that WHM will no longer update. It hangs up trying to update packages. My guess is one of the above ASN hosts some type of updates for WHM. I asked my managed provider for a solution but nothing really helped. I'm looking for some way to keep my CC_DENY entry while somehow bypassing it just for ports, and I'd need some kind of idea what ports are used for WHM updates. Any idea how I can keep my block in place but CSF whitelist WHM updates?

• 

  rscalover

  • June 07, 2021 09:01

  Hello, As far as i know CC_DENY is a configserver csf features which allows you to block a whole country by adding the 2 letter iso code for the country you want to block it doesn't allow you to block by asn numbers having said that everybody hates spam and a possible solution could be to whitelist ip addresses that take care of cPanel / whm updates probably the problem is being caused that ColorCrossing is in the US and so is cPanel so updates are blocked ask somebody from cPanel what ip's you need to whitelist to get around the problem i always see httpupdate.cpanel.net appear but it could be different for you

  0
• 

  seenBEST

  • June 07, 2021 15:45

  Thank you for the reply. I will ask cPanel if they have the update IPs. I did enter the ASN codes into CC_DENY and it did block by ASN so that feature does work, but unfortunately like you said it seems cPanel or something tied to it uses on of those ASNs for update downloads.

  0
• 

  rscalover

  • June 07, 2021 17:20

  Thank you for the reply. I will ask cPanel if they have the update IPs. I did enter the ASN codes into CC_DENY and it did block by ASN so that feature does work, but unfortunately like you said it seems cPanel or something tied to it uses on of those ASNs for update downloads.

  
  Your right i just checked it can block asn numbers but your issue remains the same leaving cPanel / whm updates blocked is not an option as sometimes those updates fix security vulnerabilities so whitelisting the "update servers" would solve your issue while keeping the spammers blocked. Are you using Google Recaptcha on your forms ? i recently switched to hcaptcha and it seems the automated software spammers use have a hard time to decipher them might be an option to though it's probably just a matter of time before hcaptcha get's cracked by the bad guys to.

  0
• 

  cPJustinD

  • June 07, 2021 18:03

  Hello seenBEST! It sounds like our IPs or perhaps your server IP may be part of one of the ASN's networks. A unique ASN is allocated to each AS for use in BGP routing. ASNs are important because the ASN uniquely identifies each network on the Internet. I found an online tool that may help you get the CIDR ranges for the ASNs you provided that may provide more information on the networks affected:

  0

Please sign in to leave a comment.