CSF no longer blocking IP Address after WHM update 98.0.6
Hi Team,
I just noticed IP addresses in /etc/csf/csf.deny are not being blocked any more since WHM update 98.0.6 I am aware this may be a CSF issue but wanted to share. I thought at first this was just one server but i have checked on 11 servers and all are having same issue.
1. whm1 - cloudlinux - no cloudflare - no engintron = /etc/csf/csf.deny ip address added manually $csf -d x.x.x.x. and it does not block ip address. IP can still see all websites on server and continue to spam.
2. whm2 - litespeed enterpise - Cloudflare = = /etc/csf/csf.deny ip address added manually $csf -d x.x.x.x. and it does not block ip address. IP can still see all websites on server and continue to spam.
3. whm + engintron + cloudflare = same no working.
Common thing is they are all recently on whm v98.0.6 and csf no longer blocks ip addresses.
It how ever does block Ports fine. Example port 80 or 443 can be blocked and works.
I would love any assistance from anyone out there! How to troubleshoot such an issue here?
I notice this may be CSF related but I want to see if any one else can replicate this issue as well?
Oh and csf version
[root@whm3 ~]# csf -v
csf: v14.10 (cPanel)
[root@whm3 ~]#
Also posted this on CSF Website Forum but they are very slow and in responsive.
-
Hey there! To test this on my end, I did the following: -removed my IP address from the csf.allow file -ran the "csf -d x.x.x.x" command to block the IP -confirmed in the output that traffic was dropped At this point I could still visit all the sites on my server, so I have confirmed the issue. You'll definitely want to reach out to CSF about this behavior at they may have a more widespread issue happening, but there isn't anything in WHM that would affect this. 0 -
I tested this and blocking worked as expected, Centos 7.9 kvm, WHM 98.0.6, csf 14.10 0 -
0
Hey there! To test this on my end, I did the following: -removed my IP address from the csf.allow file -ran the "csf -d x.x.x.x" command to block the IP -confirmed in the output that traffic was dropped At this point I could still visit all the sites on my server, so I have confirmed the issue. You'll definitely want to reach out to CSF about this behavior at they may have a more widespread issue happening, but there isn't anything in WHM that would affect this.
I have tried reaching out to CSF and they do not even want to recognise it as a bug and moved to general discussion and no response their forums are quite disappointing compared to their product is usually a good one . There is definitely an issue here and definitely not isolated as we can both replicate on various different testing . where to from here is the question? Ditch csf ? I guess when will cPanel include a goood firewall as part of WHM0 -
We have no plans to include a firewall at this time, or at least any plans that I am aware of. We try and stay hands-off with that area of the server. I would guess CSF will reply at some point, but I'm doing some additional testing on my end as well. 0 -
I tested this and blocking worked as expected, Centos 7.9 kvm, WHM 98.0.6, csf 14.10
Hi Finn, weird worked for you. Are you sure you doing same testing we did? Ie testing blocking of IP from being able to view the websites . ie add ip to csf.deny then view a website running on server you will see it"s not blocked . Can still view website on http or https . Cheers0 -
We have no plans to include a firewall at this time, or at least any plans that I am aware of. We try and stay hands-off with that area of the server. I would guess CSF will reply at some point, but I'm doing some additional testing on my end as well.
Thanks @cPRex ! Yeah I am sure they will respond if they acknowledge the bug firstly . But yes understood on the stay away part as well. Was just a thought to make whm all in one. please do keep me posted on any updates on this one if you find anything or get a different outcome. As I said I tried on many of our servers and Clients servers and replicated it on many . I will also update if we get any update from csf forum on post here :0 -
Hi Finn, weird worked for you. Are you sure you doing same testing we did? Ie testing blocking of IP from being able to view the websites . ie add ip to csf.deny then view a website running on server you will see it"s not blocked . Can still view website on http or https . Cheers
I added my own IP: csf -d xxx.xxx.xxx.xxx After that I could not connect to a site in that server. Then I removed that block line in /etc/csf/csf.deny (from a laptop using another IP), and ran: csf -ra and after that I was able to access that site. It does not mean that it's not a bug, but it means that it does not affect every server running WHM 98.0.0 -
Just for curiosity, have you run iptables -L -n
To see if the IP is in the DENYIN/DENYOUT chains? To figure out where the issue is you have to see if it's being added to the chain (CSF issue) or if it is added, but not working, then it's possibly an iptables issue?0 -
Just for curiosity, have you run
iptables -L -n
To see if the IP is in the DENYIN/DENYOUT chains? To figure out where the issue is you have to see if it's being added to the chain (CSF issue) or if it is added, but not working, then it's possibly an iptables issue?
Hi ffeindgol, Thanks for the reply and additional tips to check That a was a great idea. Thanks. FYI the IP Address I used was on a test 4g phone: 110.54.174.83 Also to add: [root@whm5 ~]# iptables --version iptables v1.4.21 [root@whm5 ~]# [root@whm5 ~]# iptables -L -n | grep '110.54.174.83' DROP all -- 110.54.174.83 0.0.0.0/0 LOGDROPOUT all -- 0.0.0.0/0 110.54.174.83 [root@whm5 ~]# The above is from below snippet . FYI the DROP 0.0.0.0 for ports 8080 and 8443 are for Engintron. I suspected this may be causing issue but have tested on another server without Engintron and was able to replicate as was @cPRex so I assumed not relevant in the equation here. Chain DENYIN (1 references) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 DROP all -- 216.244.66.242 0.0.0.0/0 DROP all -- 110.54.174.83 0.0.0.0/0 DROP all -- 66.85.133.136 0.0.0.0/0 Chain DENYOUT (1 references) target prot opt source destination LOGDROPOUT all -- 0.0.0.0/0 216.244.66.242 LOGDROPOUT all -- 0.0.0.0/0 110.54.174.83 LOGDROPOUT all -- 0.0.0.0/0 66.85.133.1360 -
I can confirm we have the same problem. Our CSF firewall suddenly does not Deny IP addresses. The IP address is not listed in iptables, so I suspect its something wrong with CSF/LFD Firewall. Tried reinstalling CSF with fresh configs/data files and still the same issue. It has been working fine for many years on this server. cPanel 96.0.15 CentOS 7 3.10.0-962.3.2.lve1.5.52.el7.x86_64 We were able to resolve it by disabling FASTSTART in the CSF Firewall Configuration option 0 -
I think same issue here. Strange things happens after update. I have many servers. From server A i ping to server B and unable to connect. I temporary whitelist the serverIP_A to B, and works, but is NOT blocked. I search on csf and iptables. Only if I whitelist the IP works. This cause me issues with many scripts etc. Can anyone help me? 0 -
@zstergios - it would be best to reach out to CSF directly about this issue. Enough people have run into the problem to confirm that there is something odd happening with CSF. 0 -
I have same problem, But whm latest Version 106.0.9 and centos 7 how you solved your problem ? 0 -
I have same problem, But whm latest Version 106.0.9 and centos 7 how you solved your problem ?
I solved my problem by disable firewalld0 -
Hey there! To test this on my end, I did the following: -removed my IP address from the csf.allow file -ran the "csf -d x.x.x.x" command to block the IP -confirmed in the output that traffic was dropped At this point I could still visit all the sites on my server, so I have confirmed the issue. You'll definitely want to reach out to CSF about this behavior at they may have a more widespread issue happening, but there isn't anything in WHM that would affect this.
Hmm, wouldn't you have to run "csf -r" after removing your IP address from csf.allow in order for the "active" firewall to stop exempting it and thus allow you to subsequently block it with csf -d x.x.x.x ? m0 -
@mtindor - that's a good point, but we also don't support CSF so there wouldn't be much we could do on our side for this issue. 0 -
@mtindor - that's a good point, but we also don't support CSF so there wouldn't be much we could do on our side for this issue.
I wasn't suggesting anybody at cPanel fix anything. But, if there are people reporting issues, it's important to determine who really has issues. For your test, unless you can confirm (or deny) that removing the IP from csf.allow, then executing "csf -r" and then doing "csf -d x.x.x.x" will properly block your IP like it should, nobody knows if you really have an issue or not. I'm leaning towards nonissue. And if you really don't have an issue, you wouldn't want to be pointing the finger at CSF. After all, how does it feel every time somebody erroneously points the finger at cPanel in public? Not good I'm sure :) M0 -
Yeah, but I'm so used to the finger-pointing by now :D I did the test again with the "csf -r" step and that works as intended, so this seems like a non-issue at this point. 0
Please sign in to leave a comment.
Comments
18 comments