Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Strange Problem with CSF on CentOS - Please kindly help!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Strange Problem with CSF on CentOS - Please kindly help!

AmitzAmitz Member
edited September 2012 in Help

Dear all,

I am facing a strange problem with CSF (ConfigServer Firewall) on a CentOS 6 machine that I never came across before and even Aunt Google did not come up with an answer...

Whenever I manually insert an IP to /etc/csf/csf.deny either using an editor or via "csf -d IPADRESS", it perfectly blocks the IP to connect via SSH, but the IP can still access the website that is hosted on the server.

I am used to (and expect) that IP to be blocked for connections to any port and service on the machine. Why does it still come through via Port 80? I am absolutely clue- and helpless. Hopefully, one of you may be able to help me out!

Thanks in advance & Cheers,
-Amitz

Comments

  • Did you restart CSF after making the change / addition?

    csf -r

  • AsadAsad Member
    edited September 2012

    Run this command to check if you have the required iptables modules.

    perl /etc/csf/csftest.pl

  • Thanks for your answers!
    Yes, I did a

    csf -r

    afterwards and this is the output of the csftest:

    perl /etc/csf/csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK
    
    RESULT: csf should function on this server

    I just reinstalled CSF and it keeps happening... :-(

  • Did you restart lfd? Why don't you use the gui btw? Does the gui works or even that fails?

  • AmitzAmitz Member
    edited September 2012

    Yes, I also restarted lfd.
    I never used the GUI before. It was never necessary... I think that CSF is quite simple to handle and never had any problem on other boxes with it. That's why I am so clueless what is going on here.

  • How do you know the block isn't working?

  • TazTaz Member
    edited September 2012

    Try today and see if that is working, also check your csf config (There was an option somewhere to block/allow certain part of server an vice versa, haven't logged into whm for ages).

  • @AsadHaider said: How do you know the block isn't working?

    I can enter my own IP with "csf -d". Afterwards, connecting to the server via SSH (for example) no longer works, while I can still browse the website on the server.
    I have furthermore added the IP of a bandwidth abuser in csf.deny and he is still sucking stuff like crazy.

    @Taz_NinjaHawk said: Try today and see if that is working, also check your csf config (There was an option somewhere to block/allow certain part of server an vice versa).

    I never looked at it - Is the GUI called by http://SERVER_IP:Port?

  • Is it a whm/cpanel server or csf running standalone?

  • AmitzAmitz Member
    edited September 2012

    CSF standalone. I have just activated the GUI in csf.conf. I even opened port 6666 but cannot connect to it via http://SERVER_IP:6666.

    //Edit: Also tried to set alternative port numbers. Did not work too.

  • But, however, GUI aside: Any more ideas concerning this strange issue?

  • Reboot? Flush your ip tables? Reinstall CSF?

  • Did all that (besides a server reboot). Do you feel my despair? ;-)

  • AsadAsad Member
    edited September 2012

    What virtualization type is the server running?

  • You can do

    iptables -L -n

    to see what rules actually exist, and whether the IP is blocked for all ports or only ssh (e.g., --dport 22).

  • @AsadHaider said: What virtualization type is the server running?

    Sorry, I forgot: It is a dedicated server. So limits from the host OS should not apply.

    @sleddog said: You can do
    iptables -L -n
    to see what rules actually exist, and whether the IP is blocked for all ports or only ssh (e.g., --dport 22).

    This is the output of

    iptables -L -n | grep MY.IP.ADDRESS
    
    DROP       all  --  MY.IP.ADDRESS        0.0.0.0/0           
    DROP       all  --  0.0.0.0/0            MY.IP.ADDRESS
    

    Everything seems to be fine. It's a mystery for me right now.

  • @Amitz said: It's a mystery for me right now.

    How are you determining that the IP is still able to connect?

  • I used my own IP for testing.

  • MaouniqueMaounique Host Rep, Veteran

    maybe you have a rule before that says like allow all port 80 and would take precedence.
    M

  • AmitzAmitz Member
    edited September 2012

    I would love to check that, but the server did not come back after a reboot that I initiated some minutes ago. The DC is now kind enough to check the reason...

    Thank god - I was not greedy and have the website on that server mirrored on a cheap dedicated at OVH. Just switched DNS settings and will hopefully not be offline too long.

  • You could always abandon csf for apf. Superior imo

  • I installed the CSF in DirectAdmin, but to start it, and all FTP can not connect.

  • AmitzAmitz Member
    edited September 2012

    BANG!

    I am so stupid... I have found the reason for the issue and wanted to share my stupidity with you. The website in question is behind a free CloudFlare plan. Therefore all requests to the webserver are coming from CloudFlare IPs and not from the direct IP of the visitor. Therefore I could deny as many IPs as I would like to in csf.deny - That will never affect anything as long as the visitor is behind a CloudFlare IP.

    My question now is: How do I lock somebody out from the website via IP denial while still using CloudFlare? There must be a possibility for this, I am surely not the only one with that problem...

    //Edit: Ah. I just saw that CloudFlare is also offering a blacklist/whitelist IP interface. That would be the way to go then, I guess...

  • MaouniqueMaounique Host Rep, Veteran

    Unless cloudflare sends some referrer IP in the call to your server and does not override everything with own IP, you wont be able to.
    Even if it does, it cant be done at simple csf level, need some DPI.
    M

  • CF does have an entire header with the IP, and another with the country if enabled.

    They're likely the most friendly reverse proxy service there is.f

    Just map the IP to a variable, and then deny it matches that.

  • MaouniqueMaounique Host Rep, Veteran

    @Wintereise said: CF does have an entire header with the IP, and another with the country if enabled.

    Nice :)
    Never used them, no need, but it may become handy one day.
    M

Sign In or Register to comment.