Join the community today
Become a Member

Sysadmin Can not login ssh and ping when csf enable

Discussion in 'System Administration' started by hendry, Sep 28, 2016.

  1. hendry

    hendry Member

    59
    14
    8
    Sep 19, 2016
    Ratings:
    +18
    Local Time:
    9:45 PM
    nginx/1.11.4
    MariaDB 10
    I have trouble when enable the cnf, I can't login and ping the server. So I contact the hosting provider to turn off the cnf and now I can login and ping it again. After adding my IP to csf.allow and add to csf.ignore and remove from csf.deny, I try to reenable the csf but I got blocked again. Can anyone suggest me what should I do?


    Note: This is happen after I transfer file from my another server. Because I can't transfer so I disable the cnf, after all transfer is finish I enable the cnf and now I got this problem.
     
  2. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    12:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    CSF Firewall whitelists common ports needed for ssh, sftp, rsync or file transfers from remote servers. If you disable CSF Firewall, those ports maybe blocked and not whitelisted. Centmin Mod LEMP stack installs CSF Firewall out of the box, so to be able to remotely connect to external servers, you need to whitelist and allow the remote IP address see the info below:
    That should allow file transfer from remote servers to your Centmin Mod server.

    Are you using the pure-ftpd ftp user account to transfer files ? See FAQ items 40 & 41 for details and clues.
     
  3. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    12:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More for troubleshooting

    CSF firewall related CSF - CSF Firewall info

    more info might be helpful
    1. What version of Centmin Mod ? .08 stable or .09 beta ? If .09 beta when was it installed and when was last time you updated the code ?
    2. What's your VPS/Server hardware specifications ? Xen/KVM/OpenVZ ? cpu type ? memory available ? disk space ? OS and version ? i.e. CentOS 6.7 or 7.2 ?
    3. Who's your web host ?
    4. Your ISP ip address static/dynamic ?
    5. What were you doing connection wise to your server leading up to the blockage ?
    6. If you're on dynamic ip, you may need additional steps CSF Firewall as per Getting Started Guide step 4
    7. Other steps: Does your web host offer out of band VNC/KVM/IPMI Console access? If you can, check if you ips are blocked using csf -g grep command
      Code:
      csf -g YOURIPADDRESS
      commands you can see for csf via
      Code:
      csf -h
      whitelist your ISP range of ips if you know the range
      Code:
      csf -a IPADDRESSORRANGE
      remove temp and permanent blocks from csf
      Code:
      csf -tr IPADDRESS
      csf -dr IPADDRESS
      also check CSF /var/log/lfd.log for clues
      Code:
      tail -50 /var/log/lfd.log
      another log is /var/log/messages you can grep it for your ips
      Code:
      grep IPADDRESS /var/log/messages
      and your /var/log/secure
      Code:
      tail -20 /var/log/secure

    Do you have a VPN connection you can use ? Try using that to SSH into your server. If you have VPN like private one with dedicated IP, you can also whitelist that VPN IP in CSF Firewall. That's what i usually do so have multiple avenues to connect to server via SSH.

    If you use DigitalOcean or solusVM based web host VPS they have consoles you can use to connect to your server out of band so you can access your server SSH and unblock yourself from CSF Firewall if needed. Once SSH'd in via console, check if your ISP IP has been blocked by

    grepping csf firewall ips
    Code (Text):
    csf -g ISPIPADDRRESS

    if blocked remove your ISP IP address from /etc/csf/csf.deny and restart CSF Firewall
    or via command
    Code (Text):
    csf -dr ISPIPADDRESS


     
  4. hendry

    hendry Member

    59
    14
    8
    Sep 19, 2016
    Ratings:
    +18
    Local Time:
    9:45 PM
    nginx/1.11.4
    MariaDB 10
    1. I use 09.beta1
    2. I use OpenVZ, Intel(R) Xeon(R) CPU E3-1240 v3 @ 3.40GHz - 64bit, 1GB Memory, 100GB Diskspace, and use CentOS release 6.8 (Final)
    3. 123systems
    4. Dynamic IP
    5. on above post I said this
    6. I don't know all dynamic IPs from my ISP. how to know this?
    7. Yes, I can saw it on my panel host but I can't use it :( If I use it bellow error comes up.
    console error.png

    About pureftpd actually I don't use it and I want to disable or remove it but I'm afraid I can not use or add mass domain feature on centminmod. Is it ok when I disable pureftpd?
     
  5. eva2000

    eva2000 Administrator Staff Member

    55,811
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    12:45 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yes ok as long it's done as outlined at Pure-FTPD Virtual FTP Users - CentminMod.com LEMP Nginx web stack for CentOS

    your local system java security settings probably blocking you
    as to dynamic ip visit https://www.iplocation.net/ and it will tell you or type in google search "ip check"
     
  6. hendry

    hendry Member

    59
    14
    8
    Sep 19, 2016
    Ratings:
    +18
    Local Time:
    9:45 PM
    nginx/1.11.4
    MariaDB 10
    My server back to normal now. Thanks @eva2000.