Whitelisted IP being blocked

[LukeDouglas]

I have setup MyJoomla to help manage my Joomla websites. Part of their service is setting up uptime monitors via UptimeRobot.com.

I whiltelisted the IP addresses for both services:

Code: Select all

178.62.5.35 # Manually allowed MyJoomla: (England) - Tue Mar 20 14:50:59 2019  DO NOT DELETE
178.62.31.185 # Manually allowed MyJoomla: (England) - Tue Mar 20 14:50:59 2019  DO NOT DELETE
178.62.47.108 # Manually allowed MyJoomla: (England) - Tue Mar 20 14:50:59 2019  DO NOT DELETE
88.80.185.18 # Manually allowed MyJoomla: (England) - Tue Mar 20 14:50:59 2019  DO NOT DELETE
69.162.124.0/24 # Manually allowed UptimeRobot (Dallas, TX, US)  - Tue Mar 20 14:50:59 2019  DO NOT DELETE
63.143.42.0/24  # Manually allowed UptimeRobot (Dallas, TX, US)  - Tue Mar 20 14:50:59 2019  DO NOT DELETE
216.245.221.0/24 # Manually allowed UptimeRobot (Dallas, TX, US)  - Tue Mar 20 14:50:59 2019  DO NOT DELETE

I restarted csf+lfd..

So I see this in the log:

Code: Select all

Mar 26 16:02:04 web lfd[31583]: (mod_security) mod_security (id:350001) triggered by 63.143.42.247 (US/United States/engine22.uptimerobot.com): 5 in the last 3600 secs - *Blocked in csf* [LF_MODSEC]
Mar 26 16:02:09 web lfd[31657]: *Error*: csf output: deny failed: 63.143.42.247 is in the allow file /etc/csf/csf.allow

I'm curious if the 'Error' line means it 'tried' to block the IP but failed because 63.143.42.247 is in the range of 63.143.42.0/24. Therefore the UptimeRobot was allowed through to the website.

Am I correct?

[datalude]

That would be my reading of it. The IP was suggested as a candidate for blocking by the mod_security module, but then csf refused to block it as it was in the allow list.
In your conf file you'll see a line
MODSEC_LOG = "/var/log/apache2/error.log"
So that's where lfd is looking for that information. If you want to disable the modsec detection you can do it with
LF_MODSEC = "0"
I think.
Another approach would be to whitelist those IPs in mod_security too, either in .htaccess or in mod_security.conf, and then neither of those log messages would occur.
https://smallbusiness.chron.com/whiteli ... 51252.html

[datalude]

Another thought occurs to me. There are actually two different whitelist files used
csf.allow is used by csf to build the iptables rules.
csf.ignore is used by lfd
So maybe you actually need to add the IP addresses to csf.ignore instead.

[AdminWonder]

csf.ignore is a different area, different sequent of chains. You would still need the IP in csf.allow.