All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Strange Problem with CSF on CentOS - Please kindly help!
Dear all,
I am facing a strange problem with CSF (ConfigServer Firewall) on a CentOS 6 machine that I never came across before and even Aunt Google did not come up with an answer...
Whenever I manually insert an IP to /etc/csf/csf.deny either using an editor or via "csf -d IPADRESS", it perfectly blocks the IP to connect via SSH, but the IP can still access the website that is hosted on the server.
I am used to (and expect) that IP to be blocked for connections to any port and service on the machine. Why does it still come through via Port 80? I am absolutely clue- and helpless. Hopefully, one of you may be able to help me out!
Thanks in advance & Cheers,
-Amitz
Comments
Did you restart CSF after making the change / addition?
csf -r
Run this command to check if you have the required iptables modules.
perl /etc/csf/csftest.pl
Thanks for your answers!
Yes, I did a
afterwards and this is the output of the csftest:
I just reinstalled CSF and it keeps happening... :-(
Did you restart lfd? Why don't you use the gui btw? Does the gui works or even that fails?
Yes, I also restarted lfd.
I never used the GUI before. It was never necessary... I think that CSF is quite simple to handle and never had any problem on other boxes with it. That's why I am so clueless what is going on here.
How do you know the block isn't working?
Try today and see if that is working, also check your csf config (There was an option somewhere to block/allow certain part of server an vice versa, haven't logged into whm for ages).
I can enter my own IP with "csf -d". Afterwards, connecting to the server via SSH (for example) no longer works, while I can still browse the website on the server.
I have furthermore added the IP of a bandwidth abuser in csf.deny and he is still sucking stuff like crazy.
I never looked at it - Is the GUI called by http://SERVER_IP:Port?
Is it a whm/cpanel server or csf running standalone?
CSF standalone. I have just activated the GUI in csf.conf. I even opened port 6666 but cannot connect to it via http://SERVER_IP:6666.
//Edit: Also tried to set alternative port numbers. Did not work too.
But, however, GUI aside: Any more ideas concerning this strange issue?
Reboot? Flush your ip tables? Reinstall CSF?
Did all that (besides a server reboot). Do you feel my despair? ;-)
What virtualization type is the server running?
You can do
iptables -L -n
to see what rules actually exist, and whether the IP is blocked for all ports or only ssh (e.g., --dport 22).
Sorry, I forgot: It is a dedicated server. So limits from the host OS should not apply.
This is the output of
Everything seems to be fine. It's a mystery for me right now.
How are you determining that the IP is still able to connect?
I used my own IP for testing.
maybe you have a rule before that says like allow all port 80 and would take precedence.
M
I would love to check that, but the server did not come back after a reboot that I initiated some minutes ago. The DC is now kind enough to check the reason...
Thank god - I was not greedy and have the website on that server mirrored on a cheap dedicated at OVH. Just switched DNS settings and will hopefully not be offline too long.
You could always abandon csf for apf. Superior imo
I installed the CSF in DirectAdmin, but to start it, and all FTP can not connect.
BANG!
I am so stupid... I have found the reason for the issue and wanted to share my stupidity with you. The website in question is behind a free CloudFlare plan. Therefore all requests to the webserver are coming from CloudFlare IPs and not from the direct IP of the visitor. Therefore I could deny as many IPs as I would like to in csf.deny - That will never affect anything as long as the visitor is behind a CloudFlare IP.
My question now is: How do I lock somebody out from the website via IP denial while still using CloudFlare? There must be a possibility for this, I am surely not the only one with that problem...
//Edit: Ah. I just saw that CloudFlare is also offering a blacklist/whitelist IP interface. That would be the way to go then, I guess...
Unless cloudflare sends some referrer IP in the call to your server and does not override everything with own IP, you wont be able to.
Even if it does, it cant be done at simple csf level, need some DPI.
M
@Amitz You can do something like this too.. http://danielmiessler.com/blog/getting-real-ip-addresses-using-cloudflare-nginx-and-varnish
Just stick that on a LEB.
CF does have an entire header with the IP, and another with the country if enabled.
They're likely the most friendly reverse proxy service there is.f
Just map the IP to a variable, and then deny it matches that.
Nice
Never used them, no need, but it may become handy one day.
M