This guide explains the most common reasons an IP gets blocked by cPFence and how to investigate and resolve it using both CLI and the WebUI.
Quick check: Use the built-in checker first.
cpfence --check-ipYou can also run this from the WebUI under Tools & Utilities → IP Tools → Check IP.
Why an IP Gets Blocked
- IPDB blacklist — Reputation-based block due to recent attacks reported by the cPFence network.
- Brute-force activity — Detected login abuse leads to an immediate block.
- DDoS or connection surge — 100+ concurrent connections from the same IP trigger rate protection.
How to Investigate
1) Check local logs
Search your system logs for the IP to see recent activity and service-level context:
grep -E '169\.1\.254\.151' /var/log/syslog*Replace the IP with the one you are investigating.
2) If logs show little or nothing
The IP may be blocked by IPDB before local services log any events. Check reputation:
AbuseIPDB: Check IP reputation
3) Look for connection surges
If it’s not blacklisted, then it’s likely the 100-connections cap. Many clients open multiple IMAP logins at once from one IP. A few accounts across multiple devices can hit that limit quickly. We recommend adding the client’s IP to the whitelist. You can increase the limit in the config file, but it’s not advised.
How to Resolve
- Whitelist the client IP if it is trusted and the block was due to connection surges. Use WebUI: System Settings → IP Whitelist, or CLI:
cpfence --add-ip-whitelist <ip-address> - Review client behavior and reduce parallel connections in IMAP or FTP clients. Set reasonable connection limits in FileZilla and mail apps.
- If the IP is listed on IPDB, use a different clean IP or request delisting where appropriate.
Notes
- If
cpfence --check-ipshows minimal info and local logs are empty, it is usually an IPDB block. - For clients with dynamic IPs, you can Whitelist DDNS so the whitelist follows their changing IP.
Need Further Assistance?
If you need further help, please contact our support team via your client portal.
