CSF suddenly blocking previously allowed outbound traffic

Post Reply
rolinger
Junior Member
Posts: 13
Joined: 14 Feb 2017, 04:15

CSF suddenly blocking previously allowed outbound traffic

Post by rolinger »

I can't explain why this is happening, but in recent weeks CSF has begun blocking outbound traffic to specific update servers for cPanel services. At first I thought it was all related to a forced server host name change by GoDaddy, but on further review it seems to be something else. The timing of it all just made it all suspect though.

My general IP4 configs:
TCP_IN: 20,21,25,53,80,110,143,443,465,587,993,995,2224,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,8443
TCP_OUT: 20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703

Over the last few weeks outbound script for automated update services all began failing:
  • 1. AutoSSL: store.cpanel.net
    2. download.configsever.com
    3. update.cpanel.net
All of the associated IPs do not exist in any BLOCK/DENY list but the traffic is def being blocked, simple "wget store.cpanel.net" or "wget download.configserver.com:443" shows the connections just hanging upon initialization. If I disable CSF the scripts work.

After re-enabling CSF, I then added the IPs for those servers to csf.allow, and then all the scripts and test "wget"s started working again. But I never had to add these IPs before, so what possibly changed? What made the TCP_OUT be ignored or superseded by the csf.allow list. I always thought the csf.allow list was for inbound traffic only, but apparently its a list that is bi-directional.

I would like to get this working back the way it was. I don't want to have to white list all automated scripts destination IPs or keep up with a changing list over time. What can I look at or tweak to restore the way this was working previously?

Additionally - when all of the above happened it also appears the CSF is blocking certain inbound connections for mail server. It was blocking inbound connections for support emails from GoDaddy.com and Configserver.com (of all things). Also had reports from some users they were now unable to get to some of my domain websites. These might all be unrelated issues, but the timing of all of them suddenly happening at the same time, especially when I hadn't made any CSF changes in like 6 months, is quite suspect.

OS: CentOS v7.9.2009 STANDARD kvm
cPanel Version: 106.0.8
CSF: v14.17
opusuno
Junior Member
Posts: 4
Joined: 03 Oct 2022, 19:01

Re: CSF suddenly blocking previously allowed outbound traffic

Post by opusuno »

@rolinger Did you get this resolved? This same thing began happening to me today and is annoying. If you got it fixed please post what you did exactly.
rolinger
Junior Member
Posts: 13
Joined: 14 Feb 2017, 04:15

Re: CSF suddenly blocking previously allowed outbound traffic

Post by rolinger »

@opusuno - I have not resolved it. What I ended up having to do was white list about a dozen IPs for cPanel automation/update/download scripts to get things to work again.

But my issues goes just beyond this out bound traffic. I have also found out that CSF is blocking pretty much ALL inbound email. Gmail, outlook, clients sending me emails from various domains, even emails from this forum alerting me that someone responded to my POST. I had to login to the forums to see that you had responded. It seems the only emails I am getting are ones generated by GoDaddy monitoring services or cPanel itself sending me alerts.

I can't find any of the IPs in block lists, deny lists - nothing in the logs. Turn off CSF and everything works again. This is quite frustrating and no one seems to have any real input. I do see though that CSF just randomly does this for various users at random times - like there is some deep rooted bug that no one has discovered yet. Most others say a CSF restart fixes the issue even if temporarily - but not in my case, the issue is persistent.
opusuno
Junior Member
Posts: 4
Joined: 03 Oct 2022, 19:01

Re: CSF suddenly blocking previously allowed outbound traffic

Post by opusuno »

I was blocking country codes to India ... CSF must be re-routing to those scum? Dunno? Iremoved that and it fixed things for me.

Your trouble seems far more widespread. I would remove it 100% and re-install it from scratch. If you have Modsecurity going you will be fine against a short downtime of the firewall. Should take you about 5 minutes.
rolinger
Junior Member
Posts: 13
Joined: 14 Feb 2017, 04:15

Re: CSF suddenly blocking previously allowed outbound traffic

Post by rolinger »

@opusuno - I am blocking India too...always have been. I will be doing just that, a fresh install of CSF and start over - praying that helps.
opusuno
Junior Member
Posts: 4
Joined: 03 Oct 2022, 19:01

Re: CSF suddenly blocking previously allowed outbound traffic

Post by opusuno »

Why not just remove the CC_deny's and see if that fixes it? Then add them back in one at a time to see which one is causing the bottleneck....
rolinger
Junior Member
Posts: 13
Joined: 14 Feb 2017, 04:15

Re: CSF suddenly blocking previously allowed outbound traffic

Post by rolinger »

Well...i removed and reinstalled CSF and everything started working again. No reason, no rhyme - no evidence (configs) or logs even suggesting it was blocking traffic. I don't know what to make of it, but at least for now all is working correctly again.
Post Reply