Strange Problem with CSF on CentOS - Please kindly help!

Amitz

Dear all,

I am facing a strange problem with CSF (ConfigServer Firewall) on a CentOS 6 machine that I never came across before and even Aunt Google did not come up with an answer...

Whenever I manually insert an IP to /etc/csf/csf.deny either using an editor or via "csf -d IPADRESS", it perfectly blocks the IP to connect via SSH, but the IP can still access the website that is hosted on the server.

I am used to (and expect) that IP to be blocked for connections to any port and service on the machine. Why does it still come through via Port 80? I am absolutely clue- and helpless. Hopefully, one of you may be able to help me out!

Thanks in advance & Cheers, -Amitz

connercg

Did you restart CSF after making the change / addition?

csf -r

AsadHaider

Run this command to check if you have the required iptables modules.

perl /etc/csf/csftest.pl

Amitz

Thanks for your answers! Yes, I did a

csf -r

afterwards and this is the output of the csftest:

perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

I just reinstalled CSF and it keeps happening... :-(

Taz

Did you restart lfd? Why don't you use the gui btw? Does the gui works or even that fails?

Amitz

Yes, I also restarted lfd. I never used the GUI before. It was never necessary... I think that CSF is quite simple to handle and never had any problem on other boxes with it. That's why I am so clueless what is going on here.

AsadHaider

How do you know the block isn't working?

Taz

Try today and see if that is working, also check your csf config (There was an option somewhere to block/allow certain part of server an vice versa, haven't logged into whm for ages).

Amitz

@AsadHaider said: How do you know the block isn't working?

I can enter my own IP with "csf -d". Afterwards, connecting to the server via SSH (for example) no longer works, while I can still browse the website on the server. I have furthermore added the IP of a bandwidth abuser in csf.deny and he is still sucking stuff like crazy.

@Taz_NinjaHawk said: Try today and see if that is working, also check your csf config (There was an option somewhere to block/allow certain part of server an vice versa).

I never looked at it - Is the GUI called by http://SERVER_IP:Port?

Taz

Is it a whm/cpanel server or csf running standalone?

Amitz

CSF standalone. I have just activated the GUI in csf.conf. I even opened port 6666 but cannot connect to it via http://SERVER_IP:6666.

//Edit: Also tried to set alternative port numbers. Did not work too.

Amitz

But, however, GUI aside: Any more ideas concerning this strange issue?

Taz

Reboot? Flush your ip tables? Reinstall CSF?

Amitz

Did all that (besides a server reboot). Do you feel my despair? ;-)

AsadHaider

What virtualization type is the server running?

sleddog

You can do

iptables -L -n

to see what rules actually exist, and whether the IP is blocked for all ports or only ssh (e.g., --dport 22).

Amitz

@AsadHaider said: What virtualization type is the server running?

Sorry, I forgot: It is a dedicated server. So limits from the host OS should not apply.

@sleddog said: You can do iptables -L -n to see what rules actually exist, and whether the IP is blocked for all ports or only ssh (e.g., --dport 22).

This is the output of

iptables -L -n | grep MY.IP.ADDRESS

DROP       all  --  MY.IP.ADDRESS        0.0.0.0/0           
DROP       all  --  0.0.0.0/0            MY.IP.ADDRESS

Everything seems to be fine. It's a mystery for me right now.

sleddog

@Amitz said: It's a mystery for me right now.

How are you determining that the IP is still able to connect?

Amitz

I used my own IP for testing.

Maounique

maybe you have a rule before that says like allow all port 80 and would take precedence. M

Amitz

I would love to check that, but the server did not come back after a reboot that I initiated some minutes ago. The DC is now kind enough to check the reason...

Thank god - I was not greedy and have the website on that server mirrored on a cheap dedicated at OVH. Just switched DNS settings and will hopefully not be offline too long.

twain

You could always abandon csf for apf. Superior imo

ZRBLOG

I installed the CSF in DirectAdmin, but to start it, and all FTP can not connect.

Amitz

BANG!

I am so stupid... I have found the reason for the issue and wanted to share my stupidity with you. The website in question is behind a free CloudFlare plan. Therefore all requests to the webserver are coming from CloudFlare IPs and not from the direct IP of the visitor. Therefore I could deny as many IPs as I would like to in csf.deny - That will never affect anything as long as the visitor is behind a CloudFlare IP.

My question now is: How do I lock somebody out from the website via IP denial while still using CloudFlare? There must be a possibility for this, I am surely not the only one with that problem...

//Edit: Ah. I just saw that CloudFlare is also offering a blacklist/whitelist IP interface. That would be the way to go then, I guess...

Maounique

Unless cloudflare sends some referrer IP in the call to your server and does not override everything with own IP, you wont be able to. Even if it does, it cant be done at simple csf level, need some DPI. M

AsadHaider

@Amitz You can do something like this too.. http://danielmiessler.com/blog/getting-real-ip-addresses-using-cloudflare-nginx-and-varnish

Just stick that on a LEB.

Wintereise

CF does have an entire header with the IP, and another with the country if enabled.

They're likely the most friendly reverse proxy service there is.f

Just map the IP to a variable, and then deny it matches that.

Maounique

@Wintereise said: CF does have an entire header with the IP, and another with the country if enabled.

Nice :) Never used them, no need, but it may become handy one day. M