ConfigServer Community Forum

On one of my servers, on or about Feb 1, 2023, CSF started blocking email connections from any IP address that was not listed in /etc/csf/csf.allow. The Resolving IP addresses in WHM are listed in both CSF.allow and CSF.ignore. I restored the protection_medium profile to make sure it was not a setting that I had somehow messed up. This did not resolve the issue. Both servers are running csf 14.17. The server that works is running WHM 106.0.14 and the one that is not is running WHM 108.0.11

Here are the log lines for when the IP address was blocked.

Feb 8 10:34:39 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=6216 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:34:40 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=6216 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:34:42 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=6216 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:35:09 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=8441 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:35:10 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=8441 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:35:11 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=8441 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:35:44 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=8442 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:35:45 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=8442 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:35:46 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=8442 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:36:14 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=4702 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 8 10:36:15 host kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=52:54:00:dd:1a:94:d8:67:d9:70:be:41:08:00 SRC=174.246.195.61 DST=67.227.211.41 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=4702 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0

After reviewing the WHM update history, the issue starting occurring prior to the update to 108.0.11.

after further investigation the issue is related to WHM 108 and how it implements Host Access Control. In WHM 108 a "sshd ALL deny" blocks both sshd and imap. In prior to 108 a "sshd ALL deny" only blocked sshd. To resolve the issue I placed a "imap ALL allow" before the "sshd ALL deny" command.

When CSF is disabled the "imap ALL allow" rule is not needed to check email via IMAP. When CSF is enabled it is needed.