cPanel CSF issue

agoldenberg

Hi Guys,

I'm sure a lot of you know a lot more about cPanel / WHM than I do.

Here's the issue I need help with. I've installed CSF and set up a couple of CC_DENY countries.

Now when I enable CSF and LFD for some reason I cannot resolve any of the domains I host.

Any idea why this may be happening?

GreenHostBox

Either:

1. You may have blocked your own country.
2. Your IP may be blocked from the firewall (Add your IP to the allow list)

Try checking if the domains are resolvable with different IPs (VPNs, proxies, etc.)

Blanoz

Banning entire countries for your lack of comprehensive firewall rules management. I bet you received a very warm welcome from the Idiot's Club.

DalekOfSkaro

IMHO He's free to ban whichever countries he wants to ban.

wych

@Blanoz said:
Banning entire countries for your lack of comprehensive firewall rules management. I bet you received a very warm welcome from the Idiot's Club.

If the countries are not a target demographic for whatever the sites are about why is this an issue?

@DalekOfSkaro said:
IMHO He's free to ban whichever countries he wants to ban.

His server, his rules.

DalekOfSkaro

wych said: His server, his rules.

Exactly.

We ban certain countries from our billing system actually. Some are banned because 100% of orders coming from them are fraud. Many hosting providers don't provide services to customers from Iran for example.

agoldenberg

The reason for blocking countries is massive amounts of traffic and brute force attempts from China, Poland, Russia, Afghanistan and a couple others.

1) No my IP is whitelisted.
2) I haven't blocked Canada.

Lee

I usually don’t block unless I have to however my Wable VPS’s are getting hit really bad, every notification I see there is China. So this thread has just reminded me to add some new rules to iptables and block out that country.

nexmark

@agoldenberg said:
The reason for blocking countries is massive amounts of traffic and brute force attempts from China, Poland, Russia, Afghanistan and a couple others.

1) No my IP is whitelisted.
2) I haven't blocked Canada.

There are easier ways to combat that then blocking out the whole country.

agoldenberg

@nexmark and all the other people. None of my clients care about Chinese or Japanese or Russian or Korean visitors. All we get from them are brute force attempts and spam. So either try to stay on topic and maybe make a contribution to the thread or fuck off and troll elsewhere.

jar

@agoldenberg said:
nexmark and all the other people. None of my clients care about Chinese or Japanese or Russian or Korean visitors. All we get from them are brute force attempts and spam. So either try to stay on topic and maybe make a contribution to the thread or fuck off and troll elsewhere.

You're such a nice guy. On topic though:

When you ban entire countries, you hurt most the people you want to let in. Let me explain how firewall blocks work.

Client: Hi I would like to enter.

Server: Great! Do you meet rule #1? No? Next rule.

Server: Great! Do you meet rule #2? No? Next rule.

Server: Great! Do you meet rule #3? No? Next rule.

Server: Great! Do you meet rule #4? No? Next rule.

Server: Great! Do you meet rule #5? No? Next rule.

Server: Great! Do you meet rule #6? No? Next rule.

Server: Great! Do you meet rule #7? No? Next rule.

Server: Great! Do you meet rule #8? No? Next rule.

Server: The last rule say's you're allowed, so come on in!

Now just add 20,000 subnet block rules to your iptables and use your imagination. Try not to host any high traffic websites. In short, you make system administrators cry when you do this.

ATHK

Make sure FASTSTART is set to 0..

CC_DENY and fast start never plays nice for me...

Although this probably wouldn't block your IP..

agoldenberg

@Jar makes sense. So what's the better way? Just block IPs as they brute force?

ATHK

agoldenberg said: Just block IPs as they brute force?

That's what CSF does anyway

nunim

@agoldenberg said:
Jar makes sense. So what's the better way? Just block IPs as they brute force?

Yes, and multiple blocks from the same subnet should result in a netblock.

This way you don't need to block each IP in the /24 individually.

jar

@agoldenberg said:
Jar makes sense. So what's the better way? Just block IPs as they brute force?

Yeah, catch and release is the best way. It stops you from being the ultimate victim. It sucks to pay a price in performance for their bad networks. The impact is low if they fail to log in say 3-5 times, it's when they hammer away for hours that it really just makes you want to smash things. Fortunately LFD is really good at this and you get that with CSF. Alternatively, fail2ban is awesome. I like something around 5 login failures = 6 hour ban.

hdpixel

@agoldenberg I usually block subnets. For example, when I see various suspicious behaviors I look up the IP and if it is from the Eastern block, China, India, etc., I block the entire subnet with csf.

NetRange: XX.0.0.0 - XX.255.255.255

CIDR: XX.0.0.0/8

[Wed Oct 08 17:30:16 2014] [error] [client 91.XXX.XXX.XX] client denied by server configuration: /webdir/website/public_html/wp-login.php
[Wed Oct 08 17:30:18 2014] [error] [client 91.XXX.XXX.XX] client denied by server configuration: /webdir/website/public_html/wp-login.php
[Wed Oct 08 17:30:19 2014] [error] [client 91.XXX.XXX.XX] client denied by server configuration: /webdir/website/public_html/wp-login.php

Also, I enable the following block list too.
/etc/csf/csf.blocklists

mod_sec is your best friend with cpanel servers. And if you have port 25 open, make sure you adjust the settings for protecting the mail server, You wouldn't believe how many connections you can simply ignore, and you will have more resources for the real customers.

Last, the other day I saw an IP with tons of connections. I run this command to check the connections, and then proceed to block it.

netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

DewlanceVPS

Please do not ban any country. This is not right.

Blanoz

Any automated bruteforce can be put to silence using the right firewall rules. Same for multiple connections from the same IP. Change ports and use strict rules, eg 4 consecutive attempts within 1 hour = 6 hour ban or simply restrict simultaneous connections from the same IP - make sure not to enforce the last rule on 80/443. All of this can be swiftly tuned in CSF.

I had plenty of opportunities to check client's complaints of bruteforce and guess what: they were using port 22 and/or ran old versions of bind/apache without hiding the version number.

As long as there will be free proxies and VPNs, you're not safe. Try reading start to end the /etc/csf/csf.conf - 95% of that damn long file consists of comments on how each rule (or set of rules) work/s.

Good luck!

jmginer

Try with my csf.conf

https://ginernet.com/csf.conf

Don't forget to edit alert e-mails:

LF_ALERT_TO = ""
LF_ALERT_FROM = ""
X_ARF_FROM = ""
X_ARF_TO = ""

And be sure that in CSF > Test iptables, all is OK like this:

Testing iptables...

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server
...Done.

dankao

Your IP might have blocked into the firewall. To avoid this issue use another IP to avoid this from.

geekalot

@agoldenberg said:
Jar makes sense. So what's the better way? Just block IPs as they brute force?

@agoldenberg: IMHO, from a performance perspective, you are better off blackhole routing individual IPs that bruteforce (i.e., via fail2ban, etc) OR using ipset .... (various posts on serverfault and stackoverflow tend to agree). And, if you see multiple IPs within the same subnet, to then use the firewall to block the subnets.

Performance may suffer if you use iptables to block high numbers of individual IPs.

(There will be purists who will argue that blackhole routing is not as effective a security strategy as using iptables but when using the two of them in concert, it is a very effective combination.)

EDIT: Added a couple of reference links

agoldenberg

@geekalot thanks for the informative reply! Will look into what you're suggesting.

HostNun

@agoldenberg said:
The reason for blocking countries is massive amounts of traffic and brute force attempts from China, Poland, Russia, Afghanistan and a couple others.

Why punish entire countries just because a lot of attacks appear to be 'coming from' them?

I'm no expert, but couldn't it be that the attacks are not 'originating' from those countries and that, rather, they are merely being used as proxies?

1) No my IP is whitelisted.
2) I haven't blocked Canada.

lol.

agoldenberg

@HostNun because I don't care about these countries nor do my customers. They provider 0 value to my business or my customers.

HostNun

@agoldenberg I wasn't debating whether or not those countries provide any value to your business, nor was I arguing that you or your customers should 'care' about them. I was only saying that the attacks might be originating from elsewhere, so it doesn't make sense to immediately single them out.

Ban the deed, not the breed?

Pwner

@HostNun said:
agoldenberg I wasn't debating whether or not those countries provide any value to your business, nor was I arguing that you or your customers should 'care' about them. I was only saying that the attacks might be originating from elsewhere, so it doesn't make sense to immediately single them out.

Ban the deed, not the breed?

Certain countries such as China are known for launching massive attacks and malicious actions against other servers. They may not be the ones directly participating in it, but they are still participating heavily in it. If @agoldenberg isn't looking for them as part of his clientele, there's nothing wrong with him blocking them out from his server. He isn't trying to reach to them, and they're well known for malicious activities, it's a win-win for him if he blocks out their IPs.

And the golden rule of servers also applies (following in coordination with your host's policies): His server, his rules.

ub3rstar

@Blanoz said:
Banning entire countries for your lack of comprehensive firewall rules management. I bet you received a very warm welcome from the Idiot's Club.

He asked what's causing the DNS not to work, he didn't ask to be called a idiot.

Back to the question, did you make sure port 53 is in the allowed list in both incoming and outgoing for TCP and UDP?

agoldenberg

@ub3rstar yes sir I did.

HostNun

@Pwner said:
And the golden rule of servers also applies (following in coordination with your host's policies): His server, his rules.

That's true, but I wasn't giving him any advice on how to run his server either. I was simply saying not to be so hasty to apply blame.

jar

@geekalot said:
Performance may suffer if you use iptables to block high numbers of individual IPs

Same performance hit from blocking high number of subnets. Be careful of implying that subnet is less likely to, because you'll encourage people to add 30,000 subnets to their firewall very easily. At a certain point in that game, one should consider whitelisting over blacklisting.