New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Afraid to turn off csf testing mode. How do I know I won't be locked out?
lowendguy7
Member
I've read a few reports of people getting locked out due to the iptables whatever that is (I just obediently follow tutorials :P). This sounds like just the kind of thing that would happen to me.
I see that the testing mode prevents this but it must be disabled to properly enable the firewall.
So how do I make sure I am gonna be able to login myself before disabling testing mode?
By the way I have added nothing to the config files yet so would I need to add my local ip before enabling? I have a dynamic ip address and often need to refresh it.
Thanked by 1c83qew1
Comments
Add your IP to the whitelist, csf -a IP from the command line or in the quick allow section from the GUI
Out of band management! Is it OpenVZ?
Beside whitelisting your IP, Make sure your SSH port is added to the TCP_IN in /etc/csf/csf.conf in case you have a dynamic IP address.
Same goes to cpanel ports or any other panel you use.
What does that mean?
As I said my ip is dynamic so will it definitely be ok if I do the above steps? How can I test before initializing?
After you add the SSH port to the TCP IN, try to restart CSF (csf -r), if there is something wrong with the config file it won't restart.
You can test from a VPN connection maybe.. I have installed CSF millions of times, and never had a problem.
The IP that installed CSF should be added by default to the whitelist.
Hmm but if mine is dynamic does it also take that into account or do I have to make the changes manually for it to accept my changing ips.
white list whatever IPs you use and if you get locked out, it's still possible to fall back on vnc access. best thing bout dynamic ip is, every time you reconnect, ip changes so access will be possible
Use an 'at' task to disable csf (csf -x) after 5 minutes. Enable CSF, if you do get blocked out , CSF will disable after 5 minutes.
What is vnc?
doesn't your vps come with a working console in the control panel?
No the console didn't work due to java issues so I went straight with putty.
get a cheap vps for static ip vpn. then whitelist that static ip, you later won't have to worry about your dynamic ip.
I believe you can counter that by using a browser like Internet Explorer (please don't kill me :P)
Its what I used to do on SolusVM, since Chrome doesn't allow Java.
I also do believe you can use a VNC client, such as RealVNC, to connect to the server.
Unless you change it, the first lockout for wrong password expires after a few minutes anyway.
It's only if you keep getting it wrong it will perm ban the ip.
Ok, so there's still ways around it even if I did get locked out? It puts my mind at ease if so. It's just that reading around I ogt the air that linux is brutal and unforgiving in terms of making errors .
Unless you blocked SSH totally (I.e it's not in your allowed ports list) even if CSF did block you IP for to many invalid logins it's only that IP that's blocked there's nothing to stop you connecting from another IP providing you have access to one.
That's exactly what I do.
And like you I use at instead of cron so it's one-time. Otherwise I fear I'd forget to disable the disabler :-)
So, whitelist a IP address range?
I thought the issue is that is blocks ALL ip addresses that are not in the whitelist? and also the issue would be that if I reset my router then that new one would be blocked too?
I was following a tutorial saying to change the port from default for added security but I read around and alot of ppl say there is no point/need when you have iptables running. What do you guys think?
If you mean changing to SSH port, yes it does make sense to also do it, however make sure the new port is changed in the CSF config.
For something that takes a few seconds to changes will remove 99% of the bot's hitting the standard port 22 and wasting iptables time.
So no1 confirmed this... does iptables/csf block aLL ips not on the whitelist oce activated? ie if I reset my router would i then be locked out?
It does not block an IP unless there is a reason, such as multiple failed login attempts, etc.
You will only be able to access ports that are whitelisted in '/etc/csf/csf.conf' though.
yup this
or other steps
configure CSF to whitelist dynamic ips example I posted for my Centmin Mod users as CSF is auto installed for Centmin Mod LEMP stack http://centminmod.com/csf_firewall.html#dynamicip
setup a private VPN on another VPS server or if you have other VPS servers, you can whitelist the VPN IP and/or other VPS servers to the CSF installed VPS server then connect to the blocked VPS from your VPN or other whitelisted VPS server IPs
So can I do this for my home dynamic as well. IE i don't have to sign up for such third party junk? since I don't like signing up to stuff unless absolutely necessary.
Just add a cronjob that disables CSF/iptables/whatever after 15 minutes.
Yeah, you can whitelist your IP range.