Learn about Centmin Mod LEMP Stack today
Become a Member

Install After changing IP address of server

Discussion in 'Install & Upgrades or Pre-Install Questions' started by Lav, Apr 12, 2020.

  1. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    1:59 AM
    1.17.8
    10.3
    Please fill in any relevant information that applies to you:
    • CentOS Version: CentOS 7 64bit
    • Centmin Mod Version Installed: 123.09beta01
    • Nginx Version Installed: 1.17.9
    • PHP Version Installed: 7.3
    • MariaDB MySQL Version Installed: 10.xx.xx
    1. After changing the IP address of an already running centminmod wordpress stack server, what additional changes do I need to make onto my stack?
    2. I am using mod_security, aggressive badbot blocker, maldet, csf fail2ban type rule setting. I need to update IP address on
    Code:
    /usr/local/nginx/conf/ultimate-badbot-blocker/bots.d/whitelist-ips.conf
    but apart from here do I need to update my new IP address to somewhere also too like in one of these security addons?
    3. Do you have any other recommendation for making my centminmod stack more secure apart from these addons?
    4. Will the letsencrypt ssl will get auto renewed even when the domain has a new IP address now? If no then what is the manual way of renewing the ssl certificate?
    5. I am using cloudfront CDN, do you have any other recommended settings or guide for cloudfront too just like cloudflare CDN?

     
  2. eva2000

    eva2000 Administrator Staff Member

    49,887
    11,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,845
    Local Time:
    6:29 AM
    Nginx 1.21.x
    MariaDB 10.x
    Letsencrypt will validate a domain according to the DNS pointed server IP, so as long as you update your DNS it should work

    For Cloudfront CDN, you probably need to do the real IP detection setup on Nginx side to be able to log a visitors real IP instead Cloudfront CDN IPs. In official Getting Started Guide step 5 Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS for front end proxy setups which links to Nginx Cloudflare, AWS Cloudfront & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS just need to use AWS IP Ranges as outlined at AWS IP Address Ranges - AWS General Reference and direct link to official Centmin Mod documentation at Nginx Cloudflare, AWS Cloudfront & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS

    fail2ban installed via fail2ban.sh at centminmod/centminmod-fail2ban would require editing server IP listed in line /etc/fail2ban/jail.local for ignoreip = setting

    For security steps, initial welcome reply in intro forum links to some Hello Everyone

     
  3. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    1:59 AM
    1.17.8
    10.3
    Thanks a lot for your suggestion. I got to learn some new things. I have some questions here.

    1. I want to block access to my domain via its ip address. I tried some guides but found no useful way to do this. Anyway to achieve this?

    2. I am implementing csf fail2ban type rule after installation of centminmod stack via these codes
    Code:
    # enable CSF Firewall native fail2ban like support
    # https://community.centminmod.com/posts/62343/
    csf --profile backup backup-b4-customregex
    cp -a /usr/local/csf/bin/regex.custom.pm /usr/local/csf/bin/regex.custom.pm.bak
    egrep 'CUSTOM1_LOG|CUSTOM2_LOG|CUSTOM3_LOG|CUSTOM4_LOG' /etc/csf/csf.conf
    sed -i "s|CUSTOM1_LOG = .*|CUSTOM1_LOG = \"/home/nginx/domains/\*/log/access.log\"|" /etc/csf/csf.conf
    sed -i "s|CUSTOM2_LOG = .*|CUSTOM2_LOG = \"/home/nginx/domains/\*/log/error.log\"|" /etc/csf/csf.conf
    sed -i "s|CUSTOM3_LOG = .*|CUSTOM3_LOG = \"/var/log/nginx/localhost.access.log\"|" /etc/csf/csf.conf
    sed -i "s|CUSTOM4_LOG = .*|CUSTOM4_LOG = \"/var/log/nginx/localhost.error.log\"|" /etc/csf/csf.conf
    egrep 'CUSTOM1_LOG|CUSTOM2_LOG|CUSTOM3_LOG|CUSTOM4_LOG' /etc/csf/csf.conf
    wget -O /usr/local/csf/bin/regex.custom.pm https://gist.github.com/centminmod/f5551b92b8aba768c3b4db84c57e756d/raw/regex.custom.pm
    csf -ra
    Do I need to additonally install and activate fail2ban via fail2ban.sh? Can I implement both of these? Will it cause any conflict on my stack if both are implemented at the same time/

    3. Can I set access to my ssh port, sql port and ftpd ports from my own country and block all the rest of countries?
     
  4. eva2000

    eva2000 Administrator Staff Member

    49,887
    11,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,845
    Local Time:
    6:29 AM
    Nginx 1.21.x
    MariaDB 10.x
    Use one not both as I haven't tested both. Fail2ban would have greater control and wider application usage

    See my previous quoted reply about your welcome email listed security tip links last 2 links

    What methods have you tried so far?
     
  5. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    1:59 AM
    1.17.8
    10.3
    There are some guides available such as this https://serverfault.com/questions/607137/restrict-direct-ip-access-to-website. But on centminmod, things are little different, when I try to access my site via its ip address it lands me on the welcome screen of centminmod page. I want to hide that page from the world. So anyway to do that? Maybe by restricting self ip address access or anything like that?
     
  6. eva2000

    eva2000 Administrator Staff Member

    49,887
    11,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,845
    Local Time:
    6:29 AM
    Nginx 1.21.x
    MariaDB 10.x
    That happens because the welcome centminmin mod nginx page is separate nginx vhost site for main hostname you setup at step 1 of Getting Started Guide Getting Started Guide - CentminMod.com LEMP Nginx web stack for CentOS so it's separate nginx vhost config file is at /usr/local/nginx/conf/conf.d/virtual.conf
    You could edit /usr/local/nginx/conf/conf.d/virtual.conf nginx vhost for main hostname and put a deny all and allow only your IP directives

    But not redirecting that hostname will break Centmin Mod administrative stats pages outlined in sticky thread in Centmin Mod Insights forum at PHP Opcode and Memcached statistics pages
     
  7. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    1:59 AM
    1.17.8
    10.3
    Can you please elaborate as what this means and how its gonna affect my site and do I need to worry about that?

    I followed this guide NGINX — Disable direct access (via http and https) to a website using IP address and edited vhostconf and removed
    Code:
    root html;
    and put there
    Code:
    return 404;
    and it's working and direct ip address shows nginx error 404. Is this the right method to do it and will this cause some other error like the one you mentioned above about
    Code:
    break Centmin Mod administrative stats pages outlined in sticky thread in Centmin Mod Insights
    ?
     
  8. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    1:59 AM
    1.17.8
    10.3
    I installed and configured fail2ban on a new server and upon visiting /etc/fail2ban/jail.local I found three ip address already registered there on ignoreip
    1. 127.0.0.1/8
    2. Internal ip address of the VM
    3. My wifi ip address
    But there was no ip address of the server so I entered it manually and removed my wifi ip address. Is this normal ?

    The other thing which I noticed that when I installed fail2ban before domain vhost configuration via option 22 then fail2ban was not working properly and
    Code:
    fail2ban-client status wordpress-auth
    was not executing properly along with other commandsbut then I reinstalled fail2ban and everything became normal and started functioning properly. Is this normal and do I need to install fail2ban only after creating vhost via option 22?
     
  9. David Schargel

    David Schargel New Member

    26
    8
    3
    Feb 2, 2020
    Ratings:
    +18
    Local Time:
    1:29 PM
    Lav,

    What I opted to do is backup/duplicate /usr/local/nginx/html/ and remove all the files there except for the 3 statistics pages that were auto-installed. Now, when people hit my IP, they get a 403 Forbidden Error and I still keep those important monitoring PHP files working.

    Don't know if that's the right way, but it works for me.

    David
     
  10. eva2000

    eva2000 Administrator Staff Member

    49,887
    11,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,845
    Local Time:
    6:29 AM
    Nginx 1.21.x
    MariaDB 10.x
    Don't do it this way as all statistic pages will give 404 too if you want to use those statistic pages

    @David Schargel @Lav easiest way is just remove /usr/local/nginx/html/index.html page and you'll get 403 permission denied for index page only while statistic pages remain intact for direct access

    that is probably expected as you installed on Google Cloud and they only have a internal IP setup initially right ? fail2ban.sh install could only detect whatever server IP was configured and in your case was your internal VM IP.

    fail2ban status read entries logged for particular regex matches. If there's no entries in nginx logs, there would be no results IIRC. What do you mean fail2ban command wasn't executing properly? specific errors ? or just no results returned in fail2ban status output ?
     
  11. Lav

    Lav Member

    49
    1
    8
    Feb 23, 2020
    Ratings:
    +1
    Local Time:
    1:59 AM
    1.17.8
    10.3
    Thanks a lot @eva2000 for helping me out here. I got to learn some really great things only because of you. Thanks!!
     
  12. Jon Snow

    Jon Snow Active Member

    679
    130
    43
    Jun 30, 2017
    Ratings:
    +192
    Local Time:
    5:29 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Did this path change? I can't find it.
     
  13. eva2000

    eva2000 Administrator Staff Member

    49,887
    11,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,845
    Local Time:
    6:29 AM
    Nginx 1.21.x
    MariaDB 10.x
    It shouldn't have changed but depending on how it was installed, you may need to set that up yourself according the Github repo instructions
     
  14. Jon Snow

    Jon Snow Active Member

    679
    130
    43
    Jun 30, 2017
    Ratings:
    +192
    Local Time:
    5:29 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Is it installed by default with centminmod?
     
  15. eva2000

    eva2000 Administrator Staff Member

    49,887
    11,488
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,845
    Local Time:
    6:29 AM
    Nginx 1.21.x
    MariaDB 10.x
    Nope fail2ban implementation isn't installed by default nor is it officially supported GitHub - centminmod/centminmod-fail2ban: fail2ban setup for centminmod.com LEMP stack with CSF Firewall and Notes section
    and fail2ban installation for CentOS 7 Only notes refer to manual or automated install methods.

    Only use if you know what you're doing basically :)