We have found an issue with the /usr/local/cpanel/cpkeyclt processes which I have brought to cPanel's attention. This is what we've told them:
We are starting to see issues with clients using csf as a static firewall when running /usr/local/cpanel/cpkeyclt - static because their virtualisation technology breaks connection tracking in the kernel.
This is happening because the license data exchange when running /usr/local/cpanel/cpkeyclt tries to connect back via TCP port 4 8 times, then TCP port 1021 8 times By then the connecting IP is blocked due to excessive port accesses on closed ports.
When on a server where the kernel support connection tracking, this isn't an issue, but on these statically configured servers this behaviour breaks itself.
Can the licensing data exchange please take place on known open ports before attempting connections on ports that are never likely to work, so that those with static firewalls don't end up with blocked cPanel servers.
Our normal mitigation for this would be to suggest using the rDNS feature of csf to have it not block IP's that translate to *.cpanel.net, but the license servers do not have rDNS PTR records pointing to cpanel.net so this cannot be used.
This is becoming more apparent with servers with broken connection tracking in their kernels (usually virtozzo, openvz and badly configured host servers).
For now, the workaround would be to flush all blocks in case cPanel servers are blocked and then disable Port Scan Tracking (PS_INTERVAL = "0"
) in csf to prevent /usr/local/cpanel/cpkeyclt blocking itself. You need to restart csf and then lfd after making that change.