New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
cPanel CSF issue
agoldenberg
Member, Host Rep
in Help
Hi Guys,
I'm sure a lot of you know a lot more about cPanel / WHM than I do.
Here's the issue I need help with. I've installed CSF and set up a couple of CC_DENY countries.
Now when I enable CSF and LFD for some reason I cannot resolve any of the domains I host.
Any idea why this may be happening?
Comments
Either:
Try checking if the domains are resolvable with different IPs (VPNs, proxies, etc.)
Banning entire countries for your lack of comprehensive firewall rules management. I bet you received a very warm welcome from the Idiot's Club.
IMHO He's free to ban whichever countries he wants to ban.
If the countries are not a target demographic for whatever the sites are about why is this an issue?
His server, his rules.
Exactly.
We ban certain countries from our billing system actually. Some are banned because 100% of orders coming from them are fraud. Many hosting providers don't provide services to customers from Iran for example.
The reason for blocking countries is massive amounts of traffic and brute force attempts from China, Poland, Russia, Afghanistan and a couple others.
1) No my IP is whitelisted.
2) I haven't blocked Canada.
I usually don’t block unless I have to however my Wable VPS’s are getting hit really bad, every notification I see there is China. So this thread has just reminded me to add some new rules to iptables and block out that country.
There are easier ways to combat that then blocking out the whole country.
@nexmark and all the other people. None of my clients care about Chinese or Japanese or Russian or Korean visitors. All we get from them are brute force attempts and spam. So either try to stay on topic and maybe make a contribution to the thread or fuck off and troll elsewhere.
You're such a nice guy. On topic though:
When you ban entire countries, you hurt most the people you want to let in. Let me explain how firewall blocks work.
Client: Hi I would like to enter.
Server: Great! Do you meet rule #1? No? Next rule.
Server: Great! Do you meet rule #2? No? Next rule.
Server: Great! Do you meet rule #3? No? Next rule.
Server: Great! Do you meet rule #4? No? Next rule.
Server: Great! Do you meet rule #5? No? Next rule.
Server: Great! Do you meet rule #6? No? Next rule.
Server: Great! Do you meet rule #7? No? Next rule.
Server: Great! Do you meet rule #8? No? Next rule.
Server: The last rule say's you're allowed, so come on in!
Now just add 20,000 subnet block rules to your iptables and use your imagination. Try not to host any high traffic websites. In short, you make system administrators cry when you do this.
Make sure FASTSTART is set to 0..
CC_DENY and fast start never plays nice for me...
Although this probably wouldn't block your IP..
@Jar makes sense. So what's the better way? Just block IPs as they brute force?
That's what CSF does anyway
Yes, and multiple blocks from the same subnet should result in a netblock.
This way you don't need to block each IP in the /24 individually.
Yeah, catch and release is the best way. It stops you from being the ultimate victim. It sucks to pay a price in performance for their bad networks. The impact is low if they fail to log in say 3-5 times, it's when they hammer away for hours that it really just makes you want to smash things. Fortunately LFD is really good at this and you get that with CSF. Alternatively, fail2ban is awesome. I like something around 5 login failures = 6 hour ban.
@agoldenberg I usually block subnets. For example, when I see various suspicious behaviors I look up the IP and if it is from the Eastern block, China, India, etc., I block the entire subnet with csf.
NetRange: XX.0.0.0 - XX.255.255.255
CIDR: XX.0.0.0/8
Also, I enable the following block list too.
/etc/csf/csf.blocklists
mod_sec is your best friend with cpanel servers. And if you have port 25 open, make sure you adjust the settings for protecting the mail server, You wouldn't believe how many connections you can simply ignore, and you will have more resources for the real customers.
Last, the other day I saw an IP with tons of connections. I run this command to check the connections, and then proceed to block it.
Please do not ban any country. This is not right.
Any automated bruteforce can be put to silence using the right firewall rules. Same for multiple connections from the same IP. Change ports and use strict rules, eg
4 consecutive attempts within 1 hour = 6 hour ban
or simply restrict simultaneous connections from the same IP - make sure not to enforce the last rule on 80/443. All of this can be swiftly tuned in CSF.I had plenty of opportunities to check client's complaints of bruteforce and guess what: they were using port 22 and/or ran old versions of bind/apache without hiding the version number.
As long as there will be free proxies and VPNs, you're not safe. Try reading start to end the /etc/csf/csf.conf - 95% of that damn long file consists of comments on how each rule (or set of rules) work/s.
Good luck!
Try with my csf.conf
https://ginernet.com/csf.conf
Don't forget to edit alert e-mails:
And be sure that in CSF > Test iptables, all is OK like this:
Your IP might have blocked into the firewall. To avoid this issue use another IP to avoid this from.
@agoldenberg: IMHO, from a performance perspective, you are better off blackhole routing individual IPs that bruteforce (i.e., via fail2ban, etc) OR using ipset .... (various posts on serverfault and stackoverflow tend to agree). And, if you see multiple IPs within the same subnet, to then use the firewall to block the subnets.
Performance may suffer if you use iptables to block high numbers of individual IPs.
(There will be purists who will argue that blackhole routing is not as effective a security strategy as using iptables but when using the two of them in concert, it is a very effective combination.)
EDIT: Added a couple of reference links
@geekalot thanks for the informative reply! Will look into what you're suggesting.
Why punish entire countries just because a lot of attacks appear to be 'coming from' them?
I'm no expert, but couldn't it be that the attacks are not 'originating' from those countries and that, rather, they are merely being used as proxies?
lol.
@HostNun because I don't care about these countries nor do my customers. They provider 0 value to my business or my customers.
@agoldenberg I wasn't debating whether or not those countries provide any value to your business, nor was I arguing that you or your customers should 'care' about them. I was only saying that the attacks might be originating from elsewhere, so it doesn't make sense to immediately single them out.
Ban the deed, not the breed?
Certain countries such as China are known for launching massive attacks and malicious actions against other servers. They may not be the ones directly participating in it, but they are still participating heavily in it. If @agoldenberg isn't looking for them as part of his clientele, there's nothing wrong with him blocking them out from his server. He isn't trying to reach to them, and they're well known for malicious activities, it's a win-win for him if he blocks out their IPs.
And the golden rule of servers also applies (following in coordination with your host's policies): His server, his rules.
He asked what's causing the DNS not to work, he didn't ask to be called a idiot.
Back to the question, did you make sure port 53 is in the allowed list in both incoming and outgoing for TCP and UDP?
@ub3rstar yes sir I did.
That's true, but I wasn't giving him any advice on how to run his server either. I was simply saying not to be so hasty to apply blame.
Same performance hit from blocking high number of subnets. Be careful of implying that subnet is less likely to, because you'll encourage people to add 30,000 subnets to their firewall very easily. At a certain point in that game, one should consider whitelisting over blacklisting.