cPanel blocked IP issues are one of the common support requests resolved by Bobcares cPanel server administrators. While CSF/LFD firewall provides great out of the box security for cPanel servers, un-optimized configuration can lead to frequent IP block issues. Let’s take a look at how Bobcares cPanel server administrators resolve and prevent such issues.
Symptoms and reasons
The most common symptom is the website owner reporting a “Connection timed out” error for Mail, Web, FTP or Control Panel services, while the support team is able to access those services. This usually happens in the following situations:
The web owner’s mail client has a very low “mail check interval”, causing a denial of service attack like behavior, especially if many users are accessing mail through a common corporate connection.
The web owner failed to successfully authenticate in a mail, web, FTP or cPanel services interface multiple times, leading the firewall to think its a brute force attempt.
The web owner has an FTP client set with very high number of simultaneous connections, causing the firewall to think the connection attempts is a denial of service attack.
A website update was interpreted as a hack attempt by the web application firewall (mod_security).
One or two IP block issues per month is normal for a shared server. However, if it is more than that, we consider the firewall settings as too tight, blocking legitimate customer access.
Quick issue resolution
We obtain the website owner’s IP using a tool like whatismyip.com, or by checking recent mail, ftp or control panel access logs.
Then, we check if the IP is blocked in the server by using any of the following methods:
If the IP is found to be blocked, we unblock it using the methods below:
Investigation and issue prevention
Once we restore access to the web owner, next priority is to determine why the IP was blocked and take corrective actions.
We find the reason for the IP block from the LFD log file. An example is below:
The string “Failed cPanel login” means that the IP was blocked because of too many failed cPanel logins from 172.17.4.43. Few of the other errors are:
(ftpd) Failed FTP login
Too many failed FTP login attempts, usually using old login details.
pop3d – 81 logins in 2382 secs
OR
(pop3d) Failed POP3 login
Too many failed POP3 server login attempts, usually using old login details.
(imapd) Failed IMAP login
Too many failed IMAP server login attempts, usually using old login details.
(smtpauth) Failed SMTP AUTH login
Too many failed outbound mail login attempts, usually using old login details.
(mod_security) mod_security (id:330036) triggered by
Site access by customer was interpreted as a hack attempt by mod_security firewall, usually an error with the rule.
(CT) IP 172.17.4.43
Mail client connects to the server very often or FTP client has a very high simultaneous connections setting.
*Port Scan* detected from
Web owner’s PC might be infected with a virus which is trying to scan for open ports in the server.
If blocked IP issues are rare, our cPanel administrators educate the customers about their mail client settings, FTP client settings, login details or PC security as noted above. In some cases the resolution requires adjusting server settings like modifying mod_security rules. Some situations warrant white listing of IPs, like for example, when a corporate IP shows high number of POP/IMAP connections because of simultaneous mail access from their office.
If IP block issues are common (more than one or two a week), we take it as an indication of optimizing the LFD settings. Depending on which kind of errors are most reported, settings like service login failure settings, mod_security auto-block settings, port scan settings, .htaccess login failure settings, suhosin security settings, etc. are updated to prevent block of legitimate server access. Here’s a list of safe configuration settings for LFD.
Firewall misconfiguration is one of the top reasons for customer complaints in a cPanel shared hosting server. The above is a rough outline on how we avoid web and mail down times for our customers. If you would like more information on how this can be done on your specific environment, we would be happy to talk to you.
Knowledge of the common causes of an issue saves time in restoring a customer’s web and mail service. Bobcares helps webmasters quickly resolve email service errors, thereby minimizing business downtime.
SEE HOW WE HELP WEBMASTERS
The post cPanel block IP issues – How to resolve and prevent recurring IP blocks by CSF/LFD in cPanel/WHM servers appeared first on Bobcares.