Unbelievable problem...

[antonisthai]

Hi to all
please i need your help as what is happening is impossible

I have a server with csf (as all of us here...)..

All the sites stop loading after some time from SPECIFIC IPs that login to WHM or wordpress admin..

So if x person is working on this site to make it, after some time he looses access as csf blocks him.

The same from the corporate network, probably after much conections its blocked (or it sees other ports).

The thing is i have added these ips to exceptions but NO luck.

After some time it blockes it... After i restart the firewall is working like a charm for some minutes.

any ideas please?

hundreds of thanks to all

[sawbuck]

Not much information to go on.

I'd check the deny and temp deny entries.

Given WP it could be related to mod_security.

[antonisthai]

Hi and thanks for your response.

we have a dedicated server in europe. (outside every of our sites /homes) .

We have a static ip in our company. in example 1.1.1.1

A designer at his house has for example 2.2.2.2 dynamic ip (making the sites). He connects to :2087 port for cpanel as well as on wordpress admin (wp_admin). No other ports.

After enabling csf - a few seconds / minutes these guys (everyone from inside company) + the designer cannot connect on sites! they see like the sites are down (cannot load).

Everybody else sees the site fine.

I have added the lists to ignore. in the firewall.

I dont know what else i need to do.

Simply when i restart firewall or i close it, they can connect again.

Please help. I am online monitoring answers so i will respond asap.

Many thanks

[antonisthai]

to add... how i can check the deny and temp deny entries?

I found some commands but i get nothing as result (no temp / deny)... can you help please?

"Given WP it could be related to mod_security" but this would result on all sites not loading from specific ips?

Many thanks for all your help!

[sawbuck]

The CSF interface in WHM allows you to view the deny and temp deny entries along with the temp IP bans.

You can also search for a specific IP block.

If designers are using dynamic IPs you may have to look at configuring Global Lists/DYNDNS/Blocklists in the CSF config file.

Instead of only allowing specific IPs it might be necessary to allow CIDR ranges at least for testing.

When users are blocked are you receiving any email notifications?

[antonisthai]

So many thanks for your time sawbuck

no i dont get any mail (i get only for some attacks in dovecot / mail).

the IPs ARE in the ignore.csf

i pressed VIEW IP TABLES RULES i found the ips but are ACCEPT so they are not blocked from there?

in /etc/csf/csf.allow it is also added...

the ip is NOT in the csf.deny

the ip IS at /etc/csf/csf.ignore also

the ip is NOT blacklisted anywhere

also : View/Remove the temporary IP entries (Currently: 0 temp IP bans, 0 temp IP allows)

what else i need to check?!?!?!?!


it is STILL BLOCKED!!! if i restart firewall it will work for some time and after block

many thanks!!

[sawbuck]

Did you do a Search IP in the CSF interface when the user is blocked?

What value do you have for CT_LIMIT under Connection Tracking in the config file?

Are the blocks only happening for users with dynamic IPs?

Are you using the ConfigServer ModSec Control plugin in WHM?

[antonisthai]

hundreds of thanks for your immediate response!!!!

1) how i do this search??? (in the csf interface??)
2) i have 450 in CT_LIMIT

The blocks happening to the STATIC (that is allowd also everywhere) + to the guys that go to connect from home to work in wordpress!!!

Important

when i browse the IP of the server !! it CONNECTS

http://1.1.1.1/ (server) it connects

and i think after it unblocks and you can browse site!!! yes

how i can check if i use ConfigServer ModSec Control ?

MANY THANKS!

[sawbuck]

You'll see the plugin in the WHM interface near the CSF plugin.

[antonisthai]

No it is not there
now i realize that some sites load some others no!!!!

when i close the firewall all sites load (