ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Whitelisted IP being blocked

https://mail.forum.configserver.com/viewtopic.php?t=11241

Page 1 of 1

Whitelisted IP being blocked

Posted: 26 Mar 2019, 22:04
by LukeDouglas
I have setup MyJoomla to help manage my Joomla websites. Part of their service is setting up uptime monitors via UptimeRobot.com.

I whiltelisted the IP addresses for both services:

Code: Select all

178.62.5.35 # Manually allowed MyJoomla: (England) - Tue Mar 20 14:50:59 2019  DO NOT DELETE
178.62.31.185 # Manually allowed MyJoomla: (England) - Tue Mar 20 14:50:59 2019  DO NOT DELETE
178.62.47.108 # Manually allowed MyJoomla: (England) - Tue Mar 20 14:50:59 2019  DO NOT DELETE
88.80.185.18 # Manually allowed MyJoomla: (England) - Tue Mar 20 14:50:59 2019  DO NOT DELETE
69.162.124.0/24 # Manually allowed UptimeRobot (Dallas, TX, US)  - Tue Mar 20 14:50:59 2019  DO NOT DELETE
63.143.42.0/24  # Manually allowed UptimeRobot (Dallas, TX, US)  - Tue Mar 20 14:50:59 2019  DO NOT DELETE
216.245.221.0/24 # Manually allowed UptimeRobot (Dallas, TX, US)  - Tue Mar 20 14:50:59 2019  DO NOT DELETE
I restarted csf+lfd..

So I see this in the log:

Code: Select all

Mar 26 16:02:04 web lfd[31583]: (mod_security) mod_security (id:350001) triggered by 63.143.42.247 (US/United States/engine22.uptimerobot.com): 5 in the last 3600 secs - *Blocked in csf* [LF_MODSEC]
Mar 26 16:02:09 web lfd[31657]: *Error*: csf output: deny failed: 63.143.42.247 is in the allow file /etc/csf/csf.allow
I'm curious if the 'Error' line means it 'tried' to block the IP but failed because 63.143.42.247 is in the range of 63.143.42.0/24. Therefore the UptimeRobot was allowed through to the website.

Am I correct?

Re: Whitelisted IP being blocked

Posted: 09 Apr 2019, 04:14
by datalude
That would be my reading of it. The IP was suggested as a candidate for blocking by the mod_security module, but then csf refused to block it as it was in the allow list.
In your conf file you'll see a line
MODSEC_LOG = "/var/log/apache2/error.log"
So that's where lfd is looking for that information. If you want to disable the modsec detection you can do it with
LF_MODSEC = "0"
I think.
Another approach would be to whitelist those IPs in mod_security too, either in .htaccess or in mod_security.conf, and then neither of those log messages would occur.
https://smallbusiness.chron.com/whiteli ... 51252.html

Re: Whitelisted IP being blocked

Posted: 09 Apr 2019, 04:28
by datalude
Another thought occurs to me. There are actually two different whitelist files used
csf.allow is used by csf to build the iptables rules.
csf.ignore is used by lfd
So maybe you actually need to add the IP addresses to csf.ignore instead.

Re: Whitelisted IP being blocked

Posted: 12 Apr 2019, 18:36
by AdminWonder
csf.ignore is a different area, different sequent of chains. You would still need the IP in csf.allow.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited