CSF Can ping but can't open page

strange only a few legit cases for this to happen and that is the user shares an IP address with a distributed/brute force attacker i.e. sshd brute force attacks on your server will automatically be blocked via CSF Firewall for better security.

and/or you enabled CSF Firewall block list at /etc/csf/csf.blocklists which can automatically communicate with known spam, abuse etc lists like SPAMHAUS, ProjectHoney Pot, Maxmind anonymous proxies list, Stopforumspam, and Dshield. So when a visitor with an IP listed in any of these known spam blacklists visits the server, CSF Firewall would block them. The CSF block lists are disabeld by default unless you enable them in /etc/csf/csf.blocklists.

---

So check if your user's IP is blacklisted if you have enabled blocklists in /etc/csf/csf.blocklists

 

You can try enabling CSF Firewall watch ip mode to see what your visitor IP goes through see linked doc readme.txt at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS or direct link at https://download.configserver.com/csf/readme.txt

Code (Text):

19. Watching IP Addresses
#########################

The CLI option csf --watch [ip] (csf -w [ip]) and configuration option
WATCH_MODE logs TCP connection initiation (SYN) packets from a specified source
as they traverse the iptables chains.

This can be extremely useful in tracking where that IP address is being DROPed
or ACCEPTed by iptables.

WATCH_MODE should be used when watching IP addresses, although the csf -w [ip]
option will still work without it but won't necessarily provide conclusive
information on the final destination of the packet.

WATCH_MODE is disabled by default and should be left as such unless actively
watching an IP address as it will add an overhead to all accepted iptables
traffic and increase overall iptables kernel logging through syslog.

WATCH_MODE disables: DROP_NOLOG, PS_INTERVAL, DROP_ONLYRES
WATCH_MODE enabled: DROP_LOGGING, DROP_IP_LOGGING, DROP_PF_LOGGING
WATCH_MODE also logs iptables ACCEPT for watched IP addresses

You should only watch a very small number of IP addresses at a time and for a
very short period of time, otherwise the kernel log (usually /var/log/messages)
will become flooded with entries. Also, any IP address rules added during the
time of the watch will not necessarily be included in the logging rules for the
watched IP addresses.

IP address watches do not survive a csf (iptables) restart.

You can use either an IP address or a CIDR address for csf -w [ip].

Recommended method to use this function:

1. Enable WATCH_MODE

2. Restart csf

3. Restart lfd

4. Use the following to watch an IP:

csf -w 11.22.33.44

5. Watch the kernel iptables log for hits from the watched IP address

Once you have finished watching an IP address you should:

1. Disable WATCH_MODE

2. Restart csf (which will also remove the watched ip rules)

3. Restart lfd

The kernel iptables log lines for watching an IP (usually in /var/log/messages)
contain the direction of the packet in the chain and the chain name, e.g.
I:INPUT is Incoming to the chain INPUT, O:LOCALINPUT is Outgoing from chain
LOCALINPUT.

The following is a trimmed down example log watch of 192.168.254.4 connecting
to port 22:

Firewall: I:INPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:LOCALINPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:GDENYIN SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:GDENYIN SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:DSHIELD SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:DSHIELD SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:SPAMHAUS SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:SPAMHAUS SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:LOCALINPUT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:INVALID SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: O:INVALID SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22
Firewall: I:LOGACCEPT SRC=192.168.254.4 DST=192.168.254.71 PROTO=TCP DPT=22

 

if you uninstall csf firewall, you will not have any default iptable rules setup so block most ports from public access so won't help unless you manually setup iptable rule to white list ports etc after you uninstall csf firewall

 

Also have you tried getting those users to visit this forum or my digitalocean hosted Wordpress7 site wordpress7.centminmod.com - Centmin Mod LEMP stack Wordpress Auto Installer on CentOS 7 and see if they have same problems

 

very strange then.. were they all on same user IP or did their ISP rotate their IP addresses ?

 

did you enable csf watch ip for troubelshooting Can ping but can't open page | Page 3 | Centmin Mod Community ?

 

If you haven't restarted csf and lfd yet and still in WATCH_MODE, also do a csf -g to grep ip of the user as well

so

1. enable WATCH_MODE and csf -w ip and check /var/log/messages for ip related using grep

Code (Text):

grep 'ip' /var/log/messages

2. csf -g ip

if output is lengthy, post contents of log to pastebin.com or gist.github.com

 

and grep ip from /var/log/messages ?

 

How many devices on local lan are connecting during this time ? ~6 devices ?

 

CSF firewall might be blocking due to number of connections from same ip but from your provided /etc/csf/csf.conf config file at csf - Pastebin.com connection limit, port scan tracking and connection tracking are disabled and port flood doesn't cover port 80 and 443 so shouldn't be AFAIK

You can also enable temporarily CSF Firewall email reports so you get notices when blocks happen for more clues in /etc/csf/csf.conf

Code (Text):

###############################################################################
# SECTION:Reporting Settings
###############################################################################
# By default, lfd will send alert emails using the relevant alert template to
# the To: address configured within that template. Setting the following
# option will override the configured To: field in all lfd alert emails
#
# Leave this option empty to use the To: field setting in each alert template
LF_ALERT_TO = ""
 
# By default, lfd will send alert emails using the relevant alert template from
# the From: address configured within that template. Setting the following
# option will override the configured From: field in all lfd alert emails
#
# Leave this option empty to use the From: field setting in each alert template
LF_ALERT_FROM = ""