Discover Centmin Mod today
Register Now

DigitalOcean Blocking my IP

Discussion in 'Virtual Private Server (VPS) hosting' started by BoostN, Nov 1, 2014.

  1. BoostN

    BoostN Active Member

    134
    27
    28
    Aug 19, 2014
    Ratings:
    +42
    Local Time:
    5:27 PM
    1.13.6
    10.0.34
    I have a 1GB XenForo site on a DO server with Centminmod and it seems my home IP is blocked after accessing the server all afternoon. I've went through the error log in Nginx and I don't see anything related to my local IP here.


    I can RDP into my other desktop (different ISP) and connect fine. Any ideas?
     
  2. BoostN

    BoostN Active Member

    134
    27
    28
    Aug 19, 2014
    Ratings:
    +42
    Local Time:
    5:27 PM
    1.13.6
    10.0.34
    Traceroute leaves my PC, hits my local ISP and fails starting at this point: 198.32.160.170. Really weird..
     
  3. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:27 AM
    Mainline
    10.2
    Maybe CSF blocks you?
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,526
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    did you make any further changes to /etc/csf/csf.conf CSF Firewall config file ?

    you can check your CSF deny list at /etc/csf/csf.deny

    also use csf grep command on particular ip address to check if it's in iptables block list i.e. this ip 222.186.56.33 is blocked in CSF firewall and shows up in iptables grep

    Code:
     csf -g 222.186.56.33
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination      
    
    DENYIN           200    258 12384 DROP       all  --  !lo    *       222.186.56.33        0.0.0.0/0        
    
    DENYOUT          200      0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            222.186.56.33
    
    
    ip6tables:
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination      
    No matches found for 222.186.56.33 in ip6tables
    
    csf.deny: 222.186.56.33 # lfd: 222.186.56.33 (CN/China/-), 5 distributed sshd attacks on account [root] in the last 3600 secs - Sun Nov  2 09:01:05 2014
    but I believe I found the problem, my default CSF firewal UDP_IN setup disabled and blocked incoming traceroute packets. You need to add to UDP_IN comma separated list the traceroute ports for 33434:33534

    I also made a bug in UDP_OUT ports for 33523 instead of range ending 33534 so correct UDP_IN and UDP_OUT whitelisted ports for CSF Firewall should be as follows

    Code:
    # Allow incoming UDP ports
    UDP_IN = "67,68,111,2049,1110,33434:33534,20,21,53"
    
    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list
    UDP_OUT = "67,68,111,2049,1110,33434:33534,20,21,53,113,123"
    then restart CSF Firewall
    Code:
    csf -r
    will be fixed in download zip updates next
     
    Last edited: Nov 3, 2014
  5. eva2000

    eva2000 Administrator Staff Member

    54,526
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  6. BoostN

    BoostN Active Member

    134
    27
    28
    Aug 19, 2014
    Ratings:
    +42
    Local Time:
    5:27 PM
    1.13.6
    10.0.34
    The server gives me the following:

    Code:
    [root@nissandieseltalk ~]# iptables -L -n --line-numbers | grep 69.130.134.104
     173  DROP       all  --  69.130.134.104       0.0.0.0/0
    173  LOGDROPOUT  all  --  0.0.0.0/0            69.130.134.104
    
    Went to remove the block:
    ...and it failed, as you can see below.

    Code:
    [root@nissandieseltalk ~]# iptables -D INPUT 173
    iptables: Index of deletion too big.
    
    I'm reading your reply right now George, let me see if I understand it.. :D
     
  7. BoostN

    BoostN Active Member

    134
    27
    28
    Aug 19, 2014
    Ratings:
    +42
    Local Time:
    5:27 PM
    1.13.6
    10.0.34
    Ok, found this in my CSF Deny file:

    Code:
    lfd: 69.130.134.104 (US/United States/h69-130-134-104.prsstn.broadband.dynamic.tds.net), 5 distributed sshd attacks on account [root] in the last 3600 secs - Fri Oct 31 19:27:54 2014
    What exactly triggers this? Anyway to avoid it? Do I delete the line from this CSF file to unblock this IP to access the site/server again?

    I ran the command csf -dr <ip> and it looks like it removed it, however I'm not at that location for another week to find out.
     
  8. Razib Hasan

    Razib Hasan Member

    37
    15
    8
    May 31, 2014
    Dhaka, Bangladesh
    Ratings:
    +15
    Local Time:
    5:27 AM
    1.7.6
    5.10
    Add your IP to csf.ignore file. In future CSF won't block your IP.
     
  9. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:27 AM
    Mainline
    10.2
    @eva2000 my current value:
    So I change it to the one you suggest:
     
  10. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:27 AM
    Mainline
    10.2
    I'm confuse on whats the correct value, it should be this one right?

     
  11. eva2000

    eva2000 Administrator Staff Member

    54,526
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    log in failures and brute force attacks
    yup that would help too :)

    use one in update inc/csfinstall.inc whitelist traceroute ports · c7ce503 · centminmod/centminmod · GitHub
     
  12. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:27 AM
    Mainline
    10.2
    So:
    UDP_IN = "67,68,111,2049,1110,33434:33534"
    UDP_OUT = "67,68,111,2049,1110,33434:33534"

    20,21,53 in UDP_IN
    and
    20,21,53,113,123 in UDP_OUT

    Is not needed anymore?
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,526
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    sorry to confuse you the github link shows how specific ports are appended to existing ones and not all the ports

    the full list is as i posted in post 4 above
    Code:
    # Allow incoming UDP ports
    UDP_IN = "67,68,111,2049,1110,33434:33534,20,21,53"
    
    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list
    UDP_OUT = "67,68,111,2049,1110,33434:33534,20,21,53,113,123"
     
    Last edited: Nov 3, 2014
  14. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:27 AM
    Mainline
    10.2
    And now missing 67,68 ports? Not needed ?
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,526
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    doh they're needed, edit above :D :LOL:
     
  16. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:27 AM
    Mainline
    10.2
    Yes and that's what I'm referring on post #10 :)
     
  17. BoostN

    BoostN Active Member

    134
    27
    28
    Aug 19, 2014
    Ratings:
    +42
    Local Time:
    5:27 PM
    1.13.6
    10.0.34
    Ok,

    How do I remove this entry, I get this after csf -g <my ip>

    I tried csf -dr <ip addy> but I'm still locked out of my site.. :(

    I've added the ip to the ignore list as well.. do I have to restart CSF for this to take effect?
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,526
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    if you're editing the csf files manually yes restart csf
    what's full output for
    Code:
    csf -g <my ip>
     
  19. BoostN

    BoostN Active Member

    134
    27
    28
    Aug 19, 2014
    Ratings:
    +42
    Local Time:
    5:27 PM
    1.13.6
    10.0.34
    Output:

     
  20. eva2000

    eva2000 Administrator Staff Member

    54,526
    12,211
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,780
    Local Time:
    9:27 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    and x.x.x.x is your IP ?