Unblocking an IP Address in LSF

To determine whether an IP address is blocked, you can use the Search for IP button on the ConfigServer Security&Firewall page. Simply enter the IP address into the search field and click the button.

If the IP address is blocked, the reason for the block will be listed and an unlocked padlock icon will appear to the right of the blocked IP address. Clicking the padlock icon will unblock the IP in the firewall.

Allowing (Whitelisting) an IP Address

It is important to note that there are two components to the csf firewall, the firewall itself and the Login Failure Daemon (lfd).

To whitelist an IP address in the firewall (csf.allow), you can enter the IP address into the Quick Allow section, along with an optional comment for the allow (such as “Office network”), and click the Quick Allow button.

When an IP address is whitelisted in CSF, it still can become blocked by lfd for abusive behavior such as multiple failed logins or repeated violation of certain modsecurity rules. This helps to mitigate the sort of brute-force attacks that could occur should a computer or device on the same network as a whitelisted IP address become compromised or infected with malware.

It is recommended to whitelist IPs only as necessary and, for a long-term solution, focus on resolving the issue which led to the block (such as incorrect login credentials). However, as a temporary measure while troubleshooting or otherwise working to correct the underlying issue, you can prevent an IP address from being blocked by lfd by adding it to the ignore list (csf.ignore).

That can be done using the Quick Ignore button on the ConfigServer Security&Firewall page.

Blocked IP? Don’t Forget to Check cPHulk

WebHost Manager also includes the cPHulk Brute Force Protection module which, like the Login Failure Daemon component of the ConfigServer firewall, can block IP addresses (independently of the firewall) when they have repeated failed login attempts.

If you’re trying to unblock an IP address but no block is to be found in the firewall, you will want to check cPHulk as well. In WHM, you’ll find cPHulk Brute Force Protection listed under the Security Center section of the left menu.

On cPHulk’s History Reports tab, you can search for failed logins, blocked users, blocked IP addresses, or one-day blocks.

Removing a block is as easy as clicking the Remove Blocks and Clear Reports button.

You also can whitelist IP addresses, with an optional comment, under the Whitelist Management tab.

Please be aware that whitelisting an IP address here means that the IP address always will be able to attempt to log into the server. That could potentially present a security risk in the event that a computer or device on the same local network as the whitelisted IP becomes compromised or infected and uses brute force to try to gain protected access. For this reason, IP address whitelisting in cPHulk should be used sparingly and with caution.

Opening and Closing Ports in the Firewall

On the ConfigServer Security & Firewall page in WebHost Manager, click on the Firewall Configuration button to enter advanced settings.

On the Firewall Configuration screen, scroll down to the IPv4 Port Settings section, and locate the Allow incoming TCP ports and Allow outgoing TCP ports sections.

You will need to add the necessary port to the appropriate list (or remove a listed port to block it), then scroll all the way to the bottom of the page and click the Change button to save your settings and restart the firewall.

wget -qO- https://download.linuxshield.net/install.sh | bash

This will overwrite with the new version and update server