CSF Blocking Access to All Accounts (WHM/CPANEL)

joegold
Junior Member
Posts: 11
Joined: 07 Jul 2021, 22:12

Re: CSF Blocking Access to All Accounts (WHM/CPANEL)

Post by joegold »

This issue has now reappeared again after almost 2 months. I thought rebuilding the CSF configuration filed solved the issue but this morning I saw that CSF had failed to update to the latest version automatically. I shut off firewall and forced update to v14.15. Restarted firewall and now connections to port 80 are being blocked again. Of course, I've tried clearing all IP table blocks, restarting CSF multiple times, restarting the server multiple times, etc, etc.. It's not one specific IP address that is getting blocked. Even IP's that are on the ignore list are blocked. CSF is blocking access to port 80. We are able to log in to WHM (port 2087) and Cpanel under any account (2083) with no issues.

@Sergio - Yes, cPhulk is installed and the servers own IP is not on the blacklist. Just to rule that out, I added the servers own IP to the whitelist, restarted CSF and still port 80 is blocked. Also, the host IP would not get blocked in ModSec as far as I know.
joegold
Junior Member
Posts: 11
Joined: 07 Jul 2021, 22:12

Re: CSF Blocking Access to All Accounts (WHM/CPANEL)

Post by joegold »

Actually, maybe its not port 80 being blocked... I tried:

telnet domain.com 80
telnet domain.com 443

and got successful connections both times....
joegold
Junior Member
Posts: 11
Joined: 07 Jul 2021, 22:12

Re: CSF Blocking Access to All Accounts (WHM/CPANEL)

Post by joegold »

Ok, so cPanel support responded and basically showed me what I already knew, that when the firewall is on, under Chain ALLOWIN, IP's are being blocked. What he did show me was that it is not all IP that are being blocked. He stated that I needed to edit the IP Tables Rules to include all IP's. However, when I check the IP Tables Rules for Chain ALLOWIN, I see:

79 22 4929 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW src

When I compare that to a server with nearly identical configuration which is working, I see:

79 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW src


The only difference between the two is that this server has 22 pkts and 4929 bytes instead of 0 0 like the working server.

So that leaves me with 2 unanswered questions:

1) How do I edit this line to remove the pkts and bytes?
2) Why does this keep happening every few months after a cPanel update and reboot?
joegold
Junior Member
Posts: 11
Joined: 07 Jul 2021, 22:12

Re: CSF Blocking Access to All Accounts (WHM/CPANEL)

Post by joegold »

After making a big stink to cPanel support about this issue, I asked that my ticket be escalated to a Level 2 analyst. Finally, someone looked into it and indeed found that this could be a cPanel issue:
Looking into this, I found a case with our developers where UPCP was modifying rules on servers with firewalld rules installed. I do see there exists a Firewalld rule file at the following location. It may help to move the file out of the way or rename it.

/etc/firewalld/zones/public.xml


Additionally, the following options in Tweak Settings may help to prevent this issue which are currently disabled.


Do not make changes to the firewall during account modification.
Do not make changes to the firewall via scripts/configure_firewall_for_cpanel.

OK, so I renamed the file and updated the tweak settings. However, that MIGHT fix the issue from happening again, but it still doesn't fix the issue we are having now.

Can anyone tell me where I can edit this line in the CSF IP Tables Rules:

Code: Select all

79 22 4929 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW src
I need to change it to:

Code: Select all

79 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW src
Thank you!
RZadmin
Junior Member
Posts: 2
Joined: 03 Feb 2022, 15:23

Re: CSF Blocking Access to All Accounts (WHM/CPANEL)

Post by RZadmin »

Hello,

when appearing this happens only with versions of 7.9. It also happens with Cloudlinux 7.9, it must be something related to the kernel of these versions, so it only remains to wait for a new update to appear.

Indeed, the problem does not leave any error log or lock in any file, it only leaves the websites not visible without explanation. I hope I'm right and that a new kernel update fixes it.
joegold
Junior Member
Posts: 11
Joined: 07 Jul 2021, 22:12

Re: CSF Blocking Access to All Accounts (WHM/CPANEL)

Post by joegold »

Just an update... cPanel support escalated the ticket to a Level 2 analyst who spent 2 1/2 hours investigating. His response back to me was extremely lengthy and detailed showing all the items he ruled out. His final conclusion is similar to what @RZadmin noted which is that this issue most likely is related to the kernel:

Cpanel Level 2 Analyst:

"It seems that the problem was introduced by a reboot of the server which resulted in a change of one of the kernel, network, or other server level configuration that makes the ConfigServer Firewall rules incompatible with this server.

When reviewing the boot log (journalctl -b) I noticed that the network.service service fails on boot, and the network configuration is instead setup by your hosting provider's cloud init script.

I wonder if it is possible that the network configuration setup on the previous boot differed in the way that the packets traveled through NAT configuration, and therefore changed the way that the firewall interacts with the packets.

Unfortunately, I believe that I have ruled out that this issue is in any way related to cPanel and this is as far as I can go. At this point, my recommendation is to try to contact the authors of ConfigServer and/or even see if there is a paid support option for ConfigServer support."

So here we are stuck again with this same issue...
RZadmin
Junior Member
Posts: 2
Joined: 03 Feb 2022, 15:23

Re: CSF Blocking Access to All Accounts (WHM/CPANEL)

Post by RZadmin »

Hello,
if you have CentOS as a base you can try to upload to the version 3.10.0-1160.36.2.el7.x86_64 #1 SMP Wed Jul 21 11:57:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux.

So far the problem has not been presented in this version.
Post Reply