Welcome to Centmin Mod Community
Become a Member

DigitalOcean Blocking my IP

Discussion in 'Virtual Private Server (VPS) hosting' started by BoostN, Nov 1, 2014.

  1. BoostN

    BoostN Member

    88
    18
    8
    Aug 19, 2014
    Ratings:
    +22
    Local Time:
    4:59 AM
    1.11.1
    10.0.28
    I have a 1GB XenForo site on a DO server with Centminmod and it seems my home IP is blocked after accessing the server all afternoon. I've went through the error log in Nginx and I don't see anything related to my local IP here.

    I can RDP into my other desktop (different ISP) and connect fine. Any ideas?
     
  2. BoostN

    BoostN Member

    88
    18
    8
    Aug 19, 2014
    Ratings:
    +22
    Local Time:
    4:59 AM
    1.11.1
    10.0.28
    Traceroute leaves my PC, hits my local ISP and fails starting at this point: 198.32.160.170. Really weird..
     
  3. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:59 PM
    1.11
    10.2
    Maybe CSF blocks you?
     
    • Like Like x 1
  4. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:59 PM
    Nginx 1.13.x
    MariaDB 5.5
    did you make any further changes to /etc/csf/csf.conf CSF Firewall config file ?

    you can check your CSF deny list at /etc/csf/csf.deny

    also use csf grep command on particular ip address to check if it's in iptables block list i.e. this ip 222.186.56.33 is blocked in CSF firewall and shows up in iptables grep

    Code:
     csf -g 222.186.56.33
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination      
    
    DENYIN           200    258 12384 DROP       all  --  !lo    *       222.186.56.33        0.0.0.0/0        
    
    DENYOUT          200      0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            222.186.56.33
    
    
    ip6tables:
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination      
    No matches found for 222.186.56.33 in ip6tables
    
    csf.deny: 222.186.56.33 # lfd: 222.186.56.33 (CN/China/-), 5 distributed sshd attacks on account [root] in the last 3600 secs - Sun Nov  2 09:01:05 2014
    but I believe I found the problem, my default CSF firewal UDP_IN setup disabled and blocked incoming traceroute packets. You need to add to UDP_IN comma separated list the traceroute ports for 33434:33534

    I also made a bug in UDP_OUT ports for 33523 instead of range ending 33534 so correct UDP_IN and UDP_OUT whitelisted ports for CSF Firewall should be as follows

    Code:
    # Allow incoming UDP ports
    UDP_IN = "67,68,111,2049,1110,33434:33534,20,21,53"
    
    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list
    UDP_OUT = "67,68,111,2049,1110,33434:33534,20,21,53,113,123"
    then restart CSF Firewall
    Code:
    csf -r
    will be fixed in download zip updates next
     
    Last edited: Nov 3, 2014
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:59 PM
    Nginx 1.13.x
    MariaDB 5.5
  6. BoostN

    BoostN Member

    88
    18
    8
    Aug 19, 2014
    Ratings:
    +22
    Local Time:
    4:59 AM
    1.11.1
    10.0.28
    The server gives me the following:

    Code:
    [root@nissandieseltalk ~]# iptables -L -n --line-numbers | grep 69.130.134.104
     173  DROP       all  --  69.130.134.104       0.0.0.0/0
    173  LOGDROPOUT  all  --  0.0.0.0/0            69.130.134.104
    
    Went to remove the block:
    ...and it failed, as you can see below.

    Code:
    [root@nissandieseltalk ~]# iptables -D INPUT 173
    iptables: Index of deletion too big.
    
    I'm reading your reply right now George, let me see if I understand it.. :D
     
  7. BoostN

    BoostN Member

    88
    18
    8
    Aug 19, 2014
    Ratings:
    +22
    Local Time:
    4:59 AM
    1.11.1
    10.0.28
    Ok, found this in my CSF Deny file:

    Code:
    lfd: 69.130.134.104 (US/United States/h69-130-134-104.prsstn.broadband.dynamic.tds.net), 5 distributed sshd attacks on account [root] in the last 3600 secs - Fri Oct 31 19:27:54 2014
    What exactly triggers this? Anyway to avoid it? Do I delete the line from this CSF file to unblock this IP to access the site/server again?

    I ran the command csf -dr <ip> and it looks like it removed it, however I'm not at that location for another week to find out.
     
  8. Razib Hasan

    Razib Hasan Premium Member Premium Member

    31
    11
    8
    May 31, 2014
    Dhaka, Bangladesh
    Ratings:
    +11
    Local Time:
    3:59 PM
    1.7.6
    5.10
    Add your IP to csf.ignore file. In future CSF won't block your IP.
     
    • Like Like x 2
  9. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:59 PM
    1.11
    10.2
    @eva2000 my current value:
    So I change it to the one you suggest:
     
  10. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:59 PM
    1.11
    10.2
    I'm confuse on whats the correct value, it should be this one right?

     
  11. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:59 PM
    Nginx 1.13.x
    MariaDB 5.5
    log in failures and brute force attacks
    yup that would help too :)

    use one in update inc/csfinstall.inc whitelist traceroute ports · c7ce503 · centminmod/centminmod · GitHub
     
    • Like Like x 1
  12. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:59 PM
    1.11
    10.2
    So:
    UDP_IN = "67,68,111,2049,1110,33434:33534"
    UDP_OUT = "67,68,111,2049,1110,33434:33534"

    20,21,53 in UDP_IN
    and
    20,21,53,113,123 in UDP_OUT

    Is not needed anymore?
     
  13. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:59 PM
    Nginx 1.13.x
    MariaDB 5.5
    sorry to confuse you the github link shows how specific ports are appended to existing ones and not all the ports

    the full list is as i posted in post 4 above
    Code:
    # Allow incoming UDP ports
    UDP_IN = "67,68,111,2049,1110,33434:33534,20,21,53"
    
    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list
    UDP_OUT = "67,68,111,2049,1110,33434:33534,20,21,53,113,123"
     
    Last edited: Nov 3, 2014
    • Like Like x 1
  14. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:59 PM
    1.11
    10.2
    And now missing 67,68 ports? Not needed ?
     
    • Like Like x 1
  15. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:59 PM
    Nginx 1.13.x
    MariaDB 5.5
    doh they're needed, edit above :D :LOL:
     
    • Like Like x 1
  16. RoldanLT

    RoldanLT Well-Known Member

    3,822
    928
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,256
    Local Time:
    5:59 PM
    1.11
    10.2
    Yes and that's what I'm referring on post #10 :)
     
  17. BoostN

    BoostN Member

    88
    18
    8
    Aug 19, 2014
    Ratings:
    +22
    Local Time:
    4:59 AM
    1.11.1
    10.0.28
    Ok,

    How do I remove this entry, I get this after csf -g <my ip>

    I tried csf -dr <ip addy> but I'm still locked out of my site.. :(

    I've added the ip to the ignore list as well.. do I have to restart CSF for this to take effect?
     
  18. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:59 PM
    Nginx 1.13.x
    MariaDB 5.5
    if you're editing the csf files manually yes restart csf
    what's full output for
    Code:
    csf -g <my ip>
     
  19. BoostN

    BoostN Member

    88
    18
    8
    Aug 19, 2014
    Ratings:
    +22
    Local Time:
    4:59 AM
    1.11.1
    10.0.28
    Output:

     
  20. eva2000

    eva2000 Administrator Staff Member

    28,935
    6,567
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,747
    Local Time:
    7:59 PM
    Nginx 1.13.x
    MariaDB 5.5
    and x.x.x.x is your IP ?