Get the most out of your Centmin Mod LEMP stack
Become a Member

[Solved] CSF has blocked paypal? Nope, they blocked me!

Discussion in 'Bug Reports' started by redbot, Jun 26, 2020.

  1. redbot

    redbot Dreaming of Debmin Mod

    51
    10
    8
    Mar 30, 2020
    Ratings:
    +25
    Local Time:
    10:45 PM
    edit: Nevermind, Paypal had rate limited my site. We had to go through their whitelist process.

    ---------------------

    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.17.10
    • PHP Version Installed: 7.4.6
    • MariaDB MySQL Version Installed: 10.3.23
    • When was last time updated Centmin Mod code base ? : today
    • Persistent Config:
      Code (Text):
      NGXDYNAMIC_NGXPAGESPEED='y'
      NGINX_PAGESPEED='y'
      LETSENCRYPT_DETECT='y'
      AUDITD_ENABLE='y'
      AUDIT_MARIADB=n
      PHP_ARGON='y'
      NGINX_LIBBROTLI='y'
      NGXDYNAMIC_BROTLI='y'
      PHP_PGO='y'
      PHPFINFO='y'
      MARIADB_INSTALLTENTHREE='y'
      
    A couple days ago, users were unable to use paypal to sign up for products on our site. Not all the time, but frequently enough to cause alarm. I was able to confirm that certain paypal notify IPs were blocked, I couldn't even ping them. They weren't in csf.deny, csf --temp was clear, however I whitelisted them in csf.allow and csf.ignore and they began working again. My temporary solution is to whitelist all of Paypal's IPs, but I'm curious what caused these blocks in the first place.

     
    Last edited: Jun 27, 2020
  2. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    1:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Strange CSF Firewall wouldn't block Paypal IP addresses usually. If you try CSF grep service the IP addresses to see if they returned a result as they can list why they were banned. As per CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS

    check IP address
    Code (Text):
    csf -g ISPIPADDRRESS
    

    Example output from blocked IP = 119.249.54.86 blocked due to failed SSH login attacks
    Code (Text):
    csf -g 119.249.54.86
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination         
    No matches found for 119.249.54.86 in iptables
    
    IPSET: Set:chain_DENY Match:119.249.54.86 Setting: File:/etc/csf/csf.deny
    
    ip6tables:
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination         
    No matches found for 119.249.54.86 in ip6tables
    
    csf.deny: 119.249.54.86 # lfd: (sshd) Failed SSH login from 119.249.54.86 (CN/China/-): 5 in the last 3600 secs - Sat Sep 10 04:56:25 2016
    
     
  3. redbot

    redbot Dreaming of Debmin Mod

    51
    10
    8
    Mar 30, 2020
    Ratings:
    +25
    Local Time:
    10:45 PM
    I dunno, I'm at a loss. This is a Paypal API ip:
    Code (Text):
    ping -c 10 173.0.84.66
    PING 173.0.84.66 (173.0.84.66) 56(84) bytes of data.
    
    --- 173.0.84.66 ping statistics ---
    10 packets transmitted, 0 received, 100% packet loss, time 8999ms
    


    Code (Text):
    csf -g 173.0.84.66
    
    Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
    No matches found for 173.0.84.66 in iptables
    
    IPSET: No matches found for 173.0.84.66
     
    Last edited: Jun 26, 2020
  4. redbot

    redbot Dreaming of Debmin Mod

    51
    10
    8
    Mar 30, 2020
    Ratings:
    +25
    Local Time:
    10:45 PM
    update: This doesn't appear to have anything to do with CSF. Even after whitelisting I can't ping the IPs, even though I could a few minutes ago. It's intermittent.

    When whitelisting appeared to clear up an IP earlier, it must have been coincidence.
     
    Last edited: Jun 26, 2020
  5. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    1:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    do you have fail2ban setup ? maybe some rules are being triggered to block ?

    check fail2ban logs via grep i.e. for 149.xxx.xxx.xxx
    Code (Text):
    grep '149\.xxx\.xxx\.xxx' /var/log/fail2ban.log
    
     
  6. redbot

    redbot Dreaming of Debmin Mod

    51
    10
    8
    Mar 30, 2020
    Ratings:
    +25
    Local Time:
    10:45 PM
    Nope, fail2ban isn't installed. This could be on Paypal's end. I'll update after I talk to their tech people.
     
    Last edited: Jun 26, 2020
  7. redbot

    redbot Dreaming of Debmin Mod

    51
    10
    8
    Mar 30, 2020
    Ratings:
    +25
    Local Time:
    10:45 PM
    Marking this solved, Paypal had rate limited our server and we had to go through the whitelist process.
     
  8. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,273
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,859
    Local Time:
    1:45 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Ah learnt something new today. Congrats on getting that many sales/purchases that Paypal rate limited you ! (y):eek::cool::D