Troubleshooting blocked IP?

Strator

Verified User
Joined
Jan 19, 2011
Messages
239
Hi - once in a while my IP gets blocked from my own server (or rather VPS). Email, sftp, http - the full program. Not a huge biggie in the situation, I simply switch to a VPN for the time being, and the next day (or next hour, dunno) everything is fine again.

But it's somewhat annoying. Any idea how to troubleshoot this? In the past, I've sometimes ended up on my lfd blocklist, but that's not the issue. Also, I can briefly turn off lfd to confirm that it's not the problem (and it isn't).

I have installed ModSecurity Rules from Comodo some time ago, but couldn't find my IP in the modsec_audit-log either.

In short: I'm a bit lost. Any ideas?
 
I've sometimes ended up on my lfd blocklist
This is odd. LFD is part of CSF. Normally when in CSF the installation IP is set in the allowed list so you won't be blocked or did you not add your ip to the allow list? By the way, lfd is the detection and it's the csf blocklist (csf.deny), just for info.

can briefly turn off lfd to confirm that it's not the problem (and it isn't).
Since you sometimes end up in your csf blocklist, and you say it's not csf causing the problem, then it's something which sends CSF the command to block you.
IMHO this can only mean one thing, a custom script like /usr/local/directadmin/scripts/custom/block_ip.sh or if you installed CSF with BFD of DA then it could be DA itself sending the block command to CSF.

Try DA logfiles /var/log/directadmin to see if you find something there.
Otherwise there must be something in either the BFD log (you can also search from within DA's BFD menu) or system log.
Normally if you appear in the CSF blocklist, it shows why or who put it there.
 
By "my IP" I mean the IP I use to access the net, not my server IP. Sorry for the confusion. ;)
 
Checked all the logs, but nothing to be found.

For full disclosure, the IP I'm having troubles with is a VPN IP. Thought it's irrelevant because I got blocked while accessing my own server, but maybe the block is on a higher level and the fact that I was accessing my own server was just coincidence.

Either way, the IP shows up on the all.s5h.net blacklist so maybe that's the reason.
 
By "my IP" I mean the IP I use to access the net, not my server IP. Sorry for the confusion. ;)
Which confusion? I understood it was the IP you use which got blocked, not your server ip.;)
Why did you get the impression I was talking about your server's ip?

If you can't find anything in any logs, it might be indeed a block at a higher level. I sometimes also have issues accessing certain (even bigger) websites on a VPN ip. For my servers I just always use my own home ip.

However, I still wonder how it could appear in your CSF blocklist.
 
@confusion: You wrote that the installation IP is set in the allowed list, so I thought you meant the server IP. As for the user IP, unless it is static and you don't use any VPN or mobile services, you will always end up accessing the server via some different IP (at least, that's my reality).

No higher level block as it seems. The server center says there's no block on their end, sp I guess I'm back to square one.
 
You wrote that the installation IP is set in the allowed list,
Yes, it is a bit unclear I guess. With this I ment that the ip which is doing the CSF installation is put in the csf.allow automatically.

Indeed that has not a big profit when you have a dynamic ip. Unless you have a dynamic ip but a hostname which does not change.
In the Netherlands most providers also have dynamic ip's but with lots of them, mostly the ip does not change. Or you have to be unlucky when they do certain work on the network. In most cases it stays the same for years. Makes live easier for us.
 
For reference, in my desperation I started doing a grep -rwl "1.2.3.4" / on my entire server, but before that finished, the IP was unblocked again.

Oh well, there's always a next time (and if there isn't, I won't complain, either). Thanks for the help and comments.
 
Just in case anyone ever runs into the same issues - the IPs ended up on the temporarly blocklist ("Temporary IP Entries") because CT_LIMIT was set too low - not sure how I was able to overlook that. Also not sure why temporarily disabling lfd didn't get me unblocked, but at least the basic riddle is solved.
 
Last edited:
As for the user IP, unless it is static and you don't use any VPN or mobile services, you will always end up accessing the server via some different IP (at least, that's my reality).
Set up a dyndns service and put the domain (obtained from the dyndns service) name in \etc\csf\csf.dyndns
Your dynamic ip will then allowed through the firewall.
 
Back
Top