Around 10 AM EST yesterday morning, we got a call from a large company telling us that their Joomla website is down as none of their staff members are able to access it. We checked and we were able to access the website. The first thing that came into our minds was that their company IP was blocked by the firewall. So, we logged in to WHM, and we flushed all the blocks (we clicked on ConfigServer Security & Firewall under Plugins on the left menu, and then we clicked on Flush all Blocks) . Once we did that, we emailed them asking them to confirm that the problem was resolved, and they replied back with a “Yes”.
Around 10:30 AM EST, they called back and told us that the problem happened again. Clearly, we needed to get to the bottom of the problem (we can’t keep flushing their blocks every 30 minutes forever). From our experience, there are 3 things that can cause this problem:
- Logging in to the server with the wrong SFTP credentials: If you login to SFTP several times from the same IP, then you will get blocked (usually after 5 unsuccessful logins).
-
Logging with the wrong set of credentials on an .htpasswd protected page: If you have an .htpasswd protected page, and you login with the wrong set of credentials for 5 times, then you will get blocked by the firewall.
-
Repeatedly triggering a ModSecurity rule: ModSecurity, the web application firewall, is very picky about the incoming requests to the web server and blocks quite a few false positives. It’s even more picky when additional, custom rules are added to its engine. For example, in the case of one client, a custom ModSecurity rule added by the host blocked OpenOffice users because they were sending some wrong headers to the server.
A quick investigation in the logs revealed that the issue was caused by none of the above, but by something else. The following line in the lfd.log file (lfd stands for login failure daemon) which is located under the /var/log folder provided us with a pointer as to what the actual cause of the issue was:
Feb 12 08:51:33 [server] lfd[28239]: (smtpauth) Failed SMTP AUTH login from [ip-address] (US/United States/[...]): 5 in the last 3600 secs - *Blocked in csf* [LF_SMTPAUTH]
The above line, in case you’re wondering, is telling us that the IP of the client ([ip-address]) was blocked because it had 5 failed SMTP authentications in one hour. Now, of course, the question is, which email address is causing this?
After examining the exim log files, we discovered that the following email was the cause of the problem: noreply@ourclientjoomlawebsite.com. We quickly informed the client about our findings, and they took care of the issue on their end immediately. We then flushed the CSF blocks again and the issue was finally resolved.
If your company IP is blocked from accessing your Joomla website, then try flushing the CSF blocks in WHM. If that doesn’t fix the problem permanently, then check your logs for the cause of the issue in order to address it. If you need help doing that, then please contact us. We will know what’s causing the block, we will fix it, and your company won’t go bankrupt paying our fees.