Bobcares

cPanel IP block – How to resolve and prevent IP blocks in cPanel/WHM servers

by | Feb 17, 2017

Web hosts can never shun server security! Majority of them have setup firewalls such as CSF/LFD to protect their cPanel servers by blocking IP addresses of attackers or malicious users.

But we’ve seen many cases where these firewall settings are not proper, blocking even valid users who try to access their websites. Users then approach web hosts, complaining about site unavailability.

cPanel IP block issues are common in shared hosting servers and cPanel VPSs.  At Bobcares, our engineers resolve numerous IP block issues in their role as cPanel support specialists for web hosting companies.

Today, let’s take a look at how these IP block issues happen and how we prevent valid IPs from getting blocked.

 

Pros and cons of cPanel IP blocks

IP blocks help to ban undesired connections to the server from an IP or location or a network. By limiting the number of connections and restricting the IP addresses, they offer a security protection to servers.

The default settings of the cPanel CSF/LFD firewall is to allow only a limited number of connection attempts to the services. This would suit only those average website users who possess a few email accounts and have less frequent site updates.

While automated IP block software such as firewalls provide predictable and consistent server protection, they lack judgement, adaptability and logic. If the firewall rules are set too tight, valid users may also be affected and can find it difficult to access their sites.

For instance,

  • Users who violate mod-security rules unknowingly or exceed the limit of allowed connections requests occasionally for site updates, may be blocked by the firewall.
  • Many of these IP blocks in shared servers are also caused by incorrect logins, users saving old passwords in their applications or over-zealous web application firewall settings.

  Firewalls that block valid access to the servers disrupt the critical web activities of customers. We help them get their IPs unblocked instantly, with our cPanel support services. Learn More

Customers tend to leave over IP blocks, prompting many web hosts to even disable the firewalls. But we strictly advise against disabling firewalls, as that would render the servers vulnerable to attacks.

With our expert intervention, we’ve been able to provide seamless access to users, without disabling the firewall protection for servers. In our hosting support services, we audit all firewall logs once a week to make sure valid requests are not blocked.

Whenever we observe a change in the server traffic pattern, we update the firewall rules to avoid blocking valid customers. Here’s an overview of how unwanted cPanel IP block issues are investigated, resolved and prevented in our support services.

See how our 24/7 support team helps you!

 

IP block issues – causes and symptoms

When a valid user IP is blocked, that website owner gets a “Connection timed out” error for Mail, Web, FTP or Control Panel services, while others may be able to access those services fine.

This usually happens in the following situations:

  1. The web owner’s mail client has a very low “mail check interval”, causing multiple connection attempts to the mail server, especially if many users are accessing mail through a common connection.
  2. The web owner using an old or wrong password in mail, web, FTP or cPanel services interface multiple times, leading the firewall to think it is a brute force attack.
  3. The web owner has an FTP client set with very high number of simultaneous connections, causing the firewall to treat the connection attempts as a denial of service attack.
  4. A website or application update or a page access request gets interpreted as a hack attempt by the web application firewall such as mod_security.

While one or two IP block issues per month is normal for a shared server, if too many customers report the issue, then we conclude that the firewall settings are too tight for seamless customer access.

 

Quick fix for cPanel IP block issues 

The immediate fix to restore normal site access to a valid user is to unblock his IP address. We obtain the website owner’s IP using a tool like whatismyip.com, or by checking web, mail, ftp or control panel logs.

Then, we follow a step-by-step procedure to lookup the IP block in the following firewalls:

1. Check CSF for the IP block and unblock if present.
2. Check for the IP under "WHM >> ConfigServer Security&Firewall >> Firewall Deny IPs" and delete if found.
3. Check if the IP is blacklisted in '"cPHulk Brute Force Protection" and delete it from the list.

But this is only a temporary fix, and if not investigated properly, it can lead to recurrent IP blocks. Customers who encounter frequent access problems can leave, causing you to lose your business.

[ Take care of your customers, before your competitors do. Get world-class support specialists to deliver 24/7 expert, personalized support. ]

 

How we prevent valid IPs from getting blocked

So, once we restore customer’s access to the server, our immediate priority is to determine why the IP was blocked. This helps us to prevent recurrent IP block issues in the server, which happens mainly due to 2 reasons:

  • Category 1 – Customer’s web or other application have any conflicting settings with the server firewall.
  • Category 2 – Server firewall is too strict with tight security rules that hinder proper server functioning.

To find the reason for the IP block, we check the LFD log file. For instance, the following entry shows that the IP was blocked due to incorrect login details used to access the cPanel:

# grep "172.17.4.43" /var/log/lfd.log
 Jan 8 13:55:31 foobar-sev lfd[24695]: (cpanel) Failed cPanel login from 172.17.4.43 (NL/Netherlands/-): 5 in the last 300 secs - *Blocked in csf* [LF_CPANEL]

Other reasons for the IP block involves login failures or too many connections for services such FTP, POP/IMAP, SMTP server, virus scanning, mod_security rules, etc.

[ You don’t have to lose your sleep to keep your customers happy. Get expert support specialists to care for your customers 24/7. ]

 

If IP block is due to category 1 issues, our cPanel administrators help the end customers fix their mail client settings, FTP client settings, login details or PC security, based on the issue noted.

To resolve IP blocks due to category 2 issues, we adjust the server settings, like modifying the mod_security rules. During some exceptional situations, we also give exemptions to certain accounts and whitelist their IP addresses.

Our 24/7 expert technicians audit the firewall logs regularly and if IP block issues are frequently noted for many users, we take it as an indication to optimize the firewall settings.

Based on the reason detected for the IP blocks – such as service login failures, mod_security auto-block, port scanning, etc. – we update the firewall configuration settings to avoid block of legitimate user access.

Firewall misconfiguration is one of the top reasons for customer complaints in cPanel servers. If you would like to know how to avoid downtime for your customers due to cPanel IP blocks, we would be happy to talk to you.

 

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

SEE SERVER ADMIN PLANS

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

10 Comments

  1. Prabhat Kumar

    Hello Bobcares team,

    I am facing one issue csf firewall. I am getting some alert. see below . i did some changes but not working. Can you suggest me. Where i am doing mistake.

    Time: Mon Dec 7 10:42:22 2015 +0530
    Account: thegudlook
    Resource: Virtual Memory Size
    Exceeded: 283 > 200 (MB)
    Executable: /usr/bin/php
    Command Line: /usr/bin/php /home/thegudlook/public_html/webservice/dispatcher.php
    PID: 7753 (Parent PID:4573)
    Killed: No

    I have used below parameter. None of them working. don’t want to increase virtual memory size.

    vim /etc/csf/csf.pignore

    cmd:/home/thegudlook/public_html/webservice/dispatcher.php

    cmd:/usr/bin/php /home/thegudlook/public_html/webservice/dispatcher.php

    exe:/home/thegudlook/public_html/webservice/dispatcher.php

    csf -r

    Reply
    • Visakh S

      Hi Prabhat,

      Looks like you set PT_USERMEM in csf.conf. I’d recommend you disable this feature by setting PT_USERMEM to “0”.

      If you want to ignore just this user’s errors, you can use the csf.pignore file.

      The config “pcmd:.*/home/thegudlook/public_html/webservice/dispatcher.php” should work. Try removing the other entries you mentioned.

      If you still get the alerts, please let us know your server login details, and we’ll take a look.

      Good luck! 🙂

      Reply
  2. Prabhat Kumar

    Hi, Vikash,

    First wish you a very happy new year, 🙂

    I have installed csf in zimbra mail server. I have enabled web ui to access firewall through standalone. I have done below changes as below
    UI_PORT = “6661
    UI_USER = “admin”
    UI_PASS = “krishna@6987”

    kindly help. How to run this with zimbra server.

    Reply
  3. prabhat kumar

    Hi, Vikas

    I have installed csf firewall in zimbra mailserver. I am not able to access on web. Kindly help. I have done some changes but not working.

    UI = “1”
    UI_USER = “admin”
    UI_PASS = “krishna@”

    Reply
  4. Mario Garcia

    Dear
    Some achievement integrate UI with zimbra have configured the ports but my server fails to listen on port ell indicating.

    Reply
  5. myilraj

    Hello Visakh,

    I am getting frequent error lfd on server.mydomain.com: 113.174.29.218 (VN/Vietnam/localhost) blocked for port scanning

    How to resolve this issues? This is a VPS server. Daily I am getting mail several times. This causes issues in server response time, I thought so. If I am correct then I need to take action immediately.

    Kindly do provide some assistance to solve this issue.

    Reply
  6. BillW

    Hi Bobcares team, this is exactly the issue i’m faced with today – being locked out repeatedly from my all 3 domains today. As an end user I’m not sure you’ll be able to help me but hopefully you can… (this is a shared hosting account on linux litespeed v6.10 with cpanel)

    Today I was blocked 2 times from all web pages (3 domains), the 2nd time also couldn’t log into cpanel. I didn’t actually attempt to log on to my site until AFTER the problem occurred. Also, no passwords have been changed recently. I do have an owncloud client running along with outlook email client. Seeing the owncloud client disconnected was the indication there was a problem.

    To fix the issue my host simply whitelisted my ip, but without a real clue as to what actually caused this to begin with.

    Do you have any advice as to how I can determine what actually caused this issue? For example; is there a log somewhere which would show exactly what the log-in attempts were? (I don’t like the idea there is a problem that is just covered up by whitelisting my ip)

    My Host showed me this log:
    Mar 14 06:57:18 webhosting2006 lfd[546976]: (mod_security) mod_security (id:334168) triggered by {my ip}: 10 in the last 3600 secs – *Blocked in csf* port=443 [LF_MODSEC]
    Mar 14 11:37:13 webhosting2006 lfd[196305]: (mod_security) mod_security (id:334168) triggered by {my ip}: 10 in the last 3600 secs – *Blocked in csf* port=80 [LF_MODSEC]

    Thanks!

    Reply
    • Visakh S

      Hi Bill,

      It looks like a recent update was made on one of your sites, and an update from admin panel is causing the Web Application Firewall mod_security to block your IP.

      You’ll get more details of the error by looking at mod_security logs for “Mar 14 11:37:13” and rule ID “334168”. The exact URL and data that triggered the rule will be shown. Based on that you can either disable relevant plugins, or disable that particular rule alone for your website.

      In cases where a mod_sec rule prevents legitimate website features to work, we disable that particular rule for just one website using vhost configuration settings. If it is only admin panel changes that cause the error, whitelisting the IP is better.

      This is the most probable case. There might be another explanation based on more investigation.

      Hope it helps.

      Reply
  7. Candyce

    i have a client who has his IP renew every month and every month i need to allow him for the remainder of the month. i did try adding a range for the ip that includes the first two digits of the provider so like x.x.0.0/24 but this isn’t doing the trick. I only have the one client who has this issue but would love to implement a long term solution for him and not sure what i may have overlooked or if the fact that his IP changes monthly is unavoidable. i did request that he ask his internet provider to assign him a longer lease on his IP but they were not willing. any suggestions?

    Reply
    • Hiba Razak

      The ip changes frequently when it belongs to the network it is connected to,not to its own system.To stop this issue,they have to set a static ip on their system.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF