Select Page

Bobcares Blog

Tried and tested solutions for your servers, from our outsourced support diaries.

cPanel IP block – How to resolve and prevent IP blocks by CSF/LFD in cPanel/WHM servers

cPanel IP block – How to resolve and prevent IP blocks by CSF/LFD in cPanel/WHM servers

Firewalls such as CSF/LFD are usually configured in cPanel servers as a security measure. These firewalls protect the servers by blocking IP addresses of attackers or malicious users.

But we’ve seen cases where these firewall settings are not proper, and even valid users trying to access their websites get blocked. Users then approach server owners, complaining about site unavailability.

At Bobcares, our engineers have resolved numerous such IP block issues, as a part of managing hundreds of cPanel servers in their role as Outsourced Support Techs for web hosting companies.

cPanel IP block issues are common in shared hosting servers and cPanel VPSs. Today, let’s take a look at how these IP block issues happen and how we prevent valid IPs from getting blocked.

[ Want to know how we handle IP blocks and other security incidents in lightning speed? Click here to know more.. ]

What is an IP block? When does it pose a problem?

IP blocks are often helpful in protecting your servers from attacks. They help to ban undesired connections to the server from an IP or location or a network, as a security measure.

The default settings of the cPanel CSF/LFD firewall is to allow only those average website users who possess a few email accounts and follow less site update intervals.

While IP blocks help to ban malicious users from attacking the server, if the firewall rules are set too tight, valid users may also be affected and can find it difficult to access their sites. For instance,

  • Users who violate mod-security rules unknowingly or exceed the limit of allowed connections requests occasionally, may be blocked by the firewall.
  • Many of these IP blocks in shared servers are also caused by incorrect logins, users saving old passwords in their applications or over-zealous web application firewall settings.

As even a few failed logins can lead to the valid customer IP addresses being blocked, in our cPanel server management services, we audit all firewall logs once a week to make sure valid requests are not blocked.

Whenever we observe a change in the server traffic pattern, we update the firewall rules to avoid blocking valid customers. Here’s an overview of how unwanted cPanel IP block issues are investigated, resolved and prevented.

[ Use your time to build your business. We’ll take care of your customers. Hire Our Hosting Support Specialists at $10.94/hr. ]

IP block issues – causes and symptoms

While automated IP block software such as firewalls provide predictable and consistent performance, they lack judgment, adaptability and logic. That’s why expert human intervention is needed to avoid valid IPs being blocked.

When a valid user IP is blocked, that website owner gets a “Connection timed out” error for Mail, Web, FTP or Control Panel services, while others may be able to access those services fine. This usually happens in the following situations:

  1. The web owner’s mail client has a very low “mail check interval”, causing multiple connection attempts to the mail server, especially if many users are accessing mail through a common connection.
  2. The web owner using an old or wrong password in mail, web, FTP or cPanel services interface multiple times, leading the firewall to think it is a brute force attack.
  3. The web owner has an FTP client set with very high number of simultaneous connections, causing the firewall to treat the connection attempts as a denial of service attack.
  4. A website or application update or a page access request gets interpreted as a hack attempt by the web application firewall such as mod_security.

While one or two IP block issues per month is normal for a shared server, if too many customers report the issue, then we conclude that the firewall settings are too tight for seamless customer access.

[ Running a hosting business doesn’t have to be hard, or costly. Get world class Hosting Support Specialists at $10.94/hour (bulk discounts available) ]

Coming Up: Quick fix for cPanel IP block issues 

STOP SPENDING TIME ON SUPPORT!

Do you spend all day answering technical support queries?

Wish you had more time to focus on your business? Let us help you.

We free up your time by taking care of your customers and servers. Our engineers monitor your servers 24/7, and support your customers over help desk, live chat and phone.

HIRE A SUPPORT SPECIALIST AT $10.94/HR

Bobcares provides Outsourced Web Hosting Support and Outsourced Server Management for online businesses. Our services include 24/7 server support, help desk support, live chat support and phone support.

6 Comments

  1. Hello Bobcares team,

    I am facing one issue csf firewall. I am getting some alert. see below . i did some changes but not working. Can you suggest me. Where i am doing mistake.

    Time: Mon Dec 7 10:42:22 2015 +0530
    Account: thegudlook
    Resource: Virtual Memory Size
    Exceeded: 283 > 200 (MB)
    Executable: /usr/bin/php
    Command Line: /usr/bin/php /home/thegudlook/public_html/webservice/dispatcher.php
    PID: 7753 (Parent PID:4573)
    Killed: No

    I have used below parameter. None of them working. don’t want to increase virtual memory size.

    vim /etc/csf/csf.pignore

    cmd:/home/thegudlook/public_html/webservice/dispatcher.php

    cmd:/usr/bin/php /home/thegudlook/public_html/webservice/dispatcher.php

    exe:/home/thegudlook/public_html/webservice/dispatcher.php

    csf -r

    Reply
    • Hi Prabhat,

      Looks like you set PT_USERMEM in csf.conf. I’d recommend you disable this feature by setting PT_USERMEM to “0”.

      If you want to ignore just this user’s errors, you can use the csf.pignore file.

      The config “pcmd:.*/home/thegudlook/public_html/webservice/dispatcher.php” should work. Try removing the other entries you mentioned.

      If you still get the alerts, please let us know your server login details, and we’ll take a look.

      Good luck! 🙂

      Reply
  2. Hi, Vikash,

    First wish you a very happy new year, 🙂

    I have installed csf in zimbra mail server. I have enabled web ui to access firewall through standalone. I have done below changes as below
    UI_PORT = “6661
    UI_USER = “admin”
    UI_PASS = “krishna@6987”

    kindly help. How to run this with zimbra server.

    Reply
  3. Hi, Vikas

    I have installed csf firewall in zimbra mailserver. I am not able to access on web. Kindly help. I have done some changes but not working.

    UI = “1”
    UI_USER = “admin”
    UI_PASS = “krishna@”

    Reply
  4. Dear
    Some achievement integrate UI with zimbra have configured the ports but my server fails to listen on port ell indicating.

    Reply
  5. Hello Visakh,

    I am getting frequent error lfd on server.mydomain.com: 113.174.29.218 (VN/Vietnam/localhost) blocked for port scanning

    How to resolve this issues? This is a VPS server. Daily I am getting mail several times. This causes issues in server response time, I thought so. If I am correct then I need to take action immediately.

    Kindly do provide some assistance to solve this issue.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

*





About Bobcares

Bobcares Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services.
Our engineers manage close to 52,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES