Welcome to Centmin Mod Community
Register Now

Linode CentOS 7.1 with CSF disabled can't be access on any port

Discussion in 'Virtual Private Server (VPS) hosting' started by RoldanLT, Jul 27, 2015.

  1. RoldanLT

    RoldanLT Well-Known Member

    3,830
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    7:46 AM
    1.11
    10.2
    On CentOS 6.6 Sever, still on Linode.
    CSF disabled via csf -x is fine.

    But using CentOS 7.1 now, disabling CSF via csf -x and reboot the server,
    I can't access it anymore, via ssh port, nginx port, or mysql port.

    I have to login Linode Manager to access via Launch Lish Ajax Console.
    And enable CSF back.

    I'm doing this because I'm using Cloudflare/Sucuri as Proxy.
    And I want all access to my server will pass through.
    Even if I white list Sucuri IP's on csf.allow and csf.ignore,
    Sometimes I still experience timeout.

    Disabling CSF solve it.
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,031
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    9:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation or advance changes to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    If you disable CSF via csf-x and do not reboot server, do you have access etc + NO timeouts ? time outs connecting to which specific ports ? nginx 80, php-fpm 9000, ???
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,031
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    9:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    you have sucuri > cloudflare > server setup ? if you do your server may see all visitor ips as cloudflare's or more likely sucuri's ips so CSF Firewall might block too many connections per ip if you have CSF configured tightly etc

    check your /var/log/messages and /var/log/lfd.log for CSF and LFD blocked messages from sucuri ips and cloudflare ips

    Could also be related to CentOS 7 and fact that with CSF installed by default, firewalld is disabled and CentOS 7 might need firewalld and specifically enabling service ports via firewall-cmd or iptables unlike CentOS 6. Line 127-139 of inc/csfinstall.inc show what is setup and disabled when CSF Firewall is installed. You can see examples of firewall-cmd at CentOS 7.x - Work log for dealing with CentOS 7.0 changes (systemd) | Centmin Mod Community and some ideas of what firewalld does as now you have disabled CSF Firewall.

    CSF Firewall install via Centmin Mod auto configures all the likely ports you use like SSH 22, Nginx 80, etc to be whitelisted by default. If you disable it, you'd be left with whatever iptables or firewalld (if started default is stopped when CSF Firewall is installed) has setup for those ports.

    rest is up to you :)

    FYI, you do know Sucuri and Cloudflare can't protect you if the attacker tries from your server ip address - so you really do need a firewall on the server itself ;) Such attacks could be from bots or folks testing each IP address in a range until they hit one that you're on.
     
    Last edited: Jul 28, 2015
    • Winner Winner x 1
  4. RoldanLT

    RoldanLT Well-Known Member

    3,830
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    7:46 AM
    1.11
    10.2
    Yes.
    All Ports really.
    Looks like all ports are close when csf -x then reboot the server.
     
  5. RoldanLT

    RoldanLT Well-Known Member

    3,830
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    7:46 AM
    1.11
    10.2
    No, Only Sucuri right now.
    And I also added Sucuri IP on Nginx.con and csf.allow and csf.ignore.
    So my setup right now is Linode MariaDB Server > Linode Nginx/Php Server > Sucuri > Visitors.

    Could be.
    The only thing works fine for me right now is, disable csf via csf -x and do not reboot the server.
     
  6. RoldanLT

    RoldanLT Well-Known Member

    3,830
    929
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,258
    Local Time:
    7:46 AM
    1.11
    10.2
    By the way, I have this the same setup on CentOS 6.6 for several months, CSF disabled and I don't have any problem.
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,031
    6,588
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,780
    Local Time:
    9:46 AM
    Nginx 1.13.x
    MariaDB 5.5
    If I was you I'd keep CSF enabled and figure out what is causing timeouts :) Probably do with firewalld or lack of it, iptables and csf mix for reboot issue with csf disabled.