I set up CSF on my cPanel installation to help manage the firewall and provide brute-force protection. One of the features of CSF (Actually LFD, which comes included) is the ability to block IP addresses listed on blocklists, such as spamhaus or OpenBL. While this worked perfectly at the start, I started noticing a recurring entry in my LFD logfile:
Unable to retrieve blocklist RBN - Unable to download: 404 - Not Found
After checking the csf.blocklists file, it seems the URL listed (http://rules.emergingthreats.net/blockrules/rbn-ips.txt) does indeed no longer exist.
My solution seemed pretty easy, I simply removed the RBN blocklist from csf.blocklists and that would be that. Unfortunately, after restarting LFD, the blocklist gets put back in place where it was.
After further testing, it seems I cannot modify this file at all, every time I change it (even just adding a comment or an empty line) and restart LFD, my changes are reverted.
The header comment in the file reads:
###############################################################################
# Copyright 2006-2013, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# This file contains definitions to IP BLOCK lists.
#
# Uncomment the line starting with the rule name to use it, then restart csf
# and then lfd
#
# Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
# NAME : List name with all uppercase alphabetic characters with no
# spaces and a maximum of 9 characters - this will be used as the
# iptables chain name
# INTERVAL: Refresh interval to download the list, must be a minimum of 3600
# seconds (an hour), but 86400 (a day) should be more than enough
# MAX : This is the maximum number of IP addresses to use from the list,
# a value of 0 means all IPs
# URL : The URL to download the list from
#
# Note: Some of thsese lists are very long (thousands of IP addresses) and
# could cause serious network and/or performance issues, so setting a value for
# the MAX field should be considered
#
# After making any changes to this file you must restart csf and then lfd
#
# If you want to redownload a blocklist you must first delete
# /etc/csf/csf.block.NAME and then restart csf and then lfd
#
# Each URL is scanned for an IPv4/CIDR address per line and if found is blocked
I did as it said: Modified the file, restarted CSF and then LFD, but still my changes keep being reverted.
I also tried re-installing CSF or modifying csf.blocklists from the web UI, neither solution solved my problem.
The server runs CloudLinux 6.8 with cPanel 58.0, using CSF v9.24
Any help on fixing this issue would be very much appreciated!
