WHM/cPanel Firewall

Had a weird issue where a certain address was unable to access the cpanel server, but it was intermittent with it working some times, but failing at other times.

Ended up being the firewall on the WHM server blocking that particular IP address due to failed log in attempts.

Check the status of LFD (Login Failure Daemon)

systemctl status lfd

How do I know which IP’s are being blocked?

Check the logs, dmesg or tail /var/log/messages

[1122639.674605] Firewall: UDP_IN Blocked IN=eth0 OUT= MAC=8e:23:f5:16:a6:b1:cc:51:54:6a:2e:ea:14:00 SRC= DST= LEN=64 TOS=0x00 PREC=0x00 TTL=246 ID=40014 PROTO=UDP SPT=9307 DPT=161 LEN=44
[1122646.728510] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=8e:23:f5:16:a6:b1:cc:51:54:6a:2e:ea:14:00 SRC= DST= LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=54321 PROTO=TCP SPT=57522 DPT=15672 WINDOW=65535 RES=0x00 SYN URGP=0

CSF keeps a file with addresses to deny in “/etc/csf/csf.deny” Also nice that if gives you a little bit of info on why it was blocked.

# grep -r "" /etc/csf/csf.deny # lfd: (pop3d) Failed POP3 login from (US/United States/-): 10 in the last 3600 secs - Tue Jun 20 11:36:15 2020

You can also dump all of the rule in iptables with

iptables --list | egrep ""

Change with the IP you are looking for

Whitelist IP Addresses

Open up /etc/csf/csf.allow with a text editor and add the IP to the bottom of the file.

or add the IP address to the end of the file with the following command. Replace with the IP address you want to whitelist.

echo "" >> /etc/csf/csf.allow

You can also do all of this from the WHM web interface “Plugins -> ConfigServer Security & Firewall”

Further reading


Exim Bulk Remove Email Messages in Queue

exim -bp | grep "string" -A1 | awk {'print $3'}

Replace string with the email address, or domain you want to search for and delete.
Note that -A1 may not be needed. Grep will just search for string and 1 line after it. I had a problem with the string I was wanting to use was on the line below it

Exim View Email Message by ID

View Email Header

You can view an email message in Exim with the following command and options.

exim -Mvh email-id

Example output

# exim -Mvh 1jTAsw-0101m5-TH
mailnull 47 12
1591431138 0
-received_time_usec .007773
-ident mailnull
-received_protocol local
-body_linecount 109
-max_received_linelength 98
155P Received: from mailnull by cpanel.server.co with local (Exim 4.93)
id 1jTAsw-0101m5-TH
for larry@incredigeek.com; Sat, 06 Jun 2020 03:12:18 -0500
045 X-Failed-Recipients: bob@incredigeek.com
029 Auto-Submitted: auto-replied
068F From: Mail Delivery System Mailer-Daemon@cpanel.server.co
025T To: larry@incredigeek.com
064 References:
098 Content-Type: multipart/report; report-type=delivery-status; boundary=1121689138-eximdsn-67139566
018 MIME-Version: 1.0
059 Subject: Mail delivery failed: returning message to sender
057I Message-Id: E3ghaTA-001qN5-Hn@cpanel.host.com
038 Date: Sat, 06 Jun 2020 03:12:18 -0500

View Message Body

You can view the message body with the -b option

exim -Mvb email-id


exim -Mvb email-id 1jTAsw-0101m5-TH
email message

WHM/cPanel – Change Main Server IP

Change IP Address from command line

Open up the following file, change eth0 to your primary ethernet adapter. More info here.

 vi /etc/sysconfig/network-scripts/ifcfg-eth0

and under IPADDR set it to the new IP. Update netmask and gateway if needed.

Save file and restart network

systemctl restart network

Update License

You may need to run the following to update the license on the server.


Change Server IP in WebHost Manager

Change IP for server in Basic WebHost Manager Setup

Other things to do

You may need to migrate IP’s to the new address.
If you are keeping the old address on the server, then you may need to readd it through the IP Functions.

WHM/cPanel – Works from some networks and not others.

Had a problem with a WHM/cPanel server where it was working fine from a couple different networks, but then would not work on others. The server itself seemed fine and fully operational.

Checked firewall rules on routers, server, checked IP routes, tried disabling cPHulk. Ended up being there were a couple addresses added with the incorrect subnet mask which was keeping it from working. Removed the IP’s with the wrong subnet and it started working on all networks.

[root@host ~]# ifconfig
eth0: flags=4163 mtu 1500
  inet netmask broadcast
  inet6 7f80::4588:523f:a697:c311 prefixlen 64 scopeid 0x20
  ether 4b:02:de:0d:cf:1a txqueuelen 1000 (Ethernet)
  RX packets 171071 bytes 83556877 (79.6 MiB)
  RX errors 0 dropped 0 overruns 0 frame 0
  TX packets 163710 bytes 76482245 (72.9 MiB)
  TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth0:cp1: flags=4163 mtu 1500
  inet netmask broadcast
  ether 4b:02:de:0d:cf:1a txqueuelen 1000 (Ethernet)

eth0:cp6: flags=4163 mtu 1500
  inet netmask broadcast
  ether 4b:02:de:0d:cf:1a txqueuelen 1000 (Ethernet)

[root@host ~]#

Under eth0:cp6 the IP has a subnet which is incorrect. Should have been a (/27) subnet.

Removed the IP out of WHM and then readded with the correct subnet mask and it now works.

Make sure you add and IP with the correct subnet

cPanel/WHM enable shell_exec

SSH into WHM server

ssh root@cpanel.host.com

Modify Website php-fpm Config File

Edit the following config file. Replace “website.com” with the website your enabling the shell_exec for

vi /opt/cpanel/ea-php72/root/etc/php-fpm.d/website.com.conf

Locate the following line and remove shell_exec from the list of disabled_functions

php_admin_value[disable_functions] = exec,passthru,shell_exec,system

The line should look like the following

php_admin_value[disable_functions] = exec,passthru,system

Restart Apache PHP FPM Service

Save the file and restart the apache_php_fpm service


Followed from