Want to subscribe to topics you're interested in?
Become a Member

CSF Centos issue

Discussion in 'Other Centmin Mod Installed software' started by Jake, Mar 31, 2015.

  1. Jake

    Jake Member

    76
    10
    8
    Feb 3, 2015
    Ratings:
    +11
    Local Time:
    8:17 AM
    NA
    Maria DB 5.5
    Hey Guys,
    I have a really ANNOYING issue. I somehow keep getting ipbanned from my server. I have white listed, ignored, my ip. I have checked the deny file, nothing. Any ideas?

     
  2. Jake

    Jake Member

    76
    10
    8
    Feb 3, 2015
    Ratings:
    +11
    Local Time:
    8:17 AM
    NA
    Maria DB 5.5
    PS. I am able to get on the site on my phone, logged into wifi that is on the same connection as this computer.
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    8:17 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That's strange is your ip address dynamic ip ? If so might need additional step for dynamic ip CSF Firewall whitelisting outlined here

    1. Double check again that your ip address is not in /etc/csf/csf.deny file

    2. Use csf -g to grep your ip to make sure for instance checking ip 77.236.96.162

    Code:
    csf -g 77.236.96.162
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination      
    
    DENYIN           46       0     0 DROP       all  --  !lo    *       77.236.96.162        0.0.0.0/0        
    
    DENYOUT          46       0     0 LOGDROPOUT  all  --  *      !lo     0.0.0.0/0            77.236.96.162
    
    csf.deny: 77.236.96.162 # lfd: 77.236.96.162 (DE/Germany/webbox1114.server-home.net), 5 distributed sshd attacks on account [PlcmSpIp] in the last 3600 secs - Mon Mar 30 04:34:07 2015
    and check /var/log/lfd.log via grep

    Code:
    grep 77.236.96.162 /var/log/lfd.log
    Mar 30 04:34:07 skys02 lfd[17986]: 77.236.96.162 (DE/Germany/webbox1114.server-home.net), 5 distributed sshd attacks on account [PlcmSpIp] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
    3. have you manually enabled any of the /etc/csf/csf.blocklists ? if you have double check your ip is not listed in spam black lists at Email Blacklist Check - See if your server is blacklisted

    Code:
    ###############################################################################
    # Copyright 2006-2015, Way to the Web Limited
    # URL: http://www.configserver.com
    # Email: sales@waytotheweb.com
    ###############################################################################
    # This file contains definitions to IP BLOCK lists.
    #
    # Uncomment the line starting with the rule name to use it, then restart csf
    # and then lfd
    #
    # Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
    #   NAME    : List name with all uppercase alphabetic characters with no
    #             spaces and a maximum of 9 characters - this will be used as the
    #             iptables chain name
    #   INTERVAL: Refresh interval to download the list, must be a minimum of 3600
    #             seconds (an hour), but 86400 (a day) should be more than enough
    #   MAX     : This is the maximum number of IP addresses to use from the list,
    #             a value of 0 means all IPs
    #   URL     : The URL to download the list from
    #
    # Note: Some of thsese lists are very long (thousands of IP addresses) and
    # could cause serious network and/or performance issues, so setting a value for
    # the MAX field should be considered
    #
    # After making any changes to this file you must restart csf and then lfd
    #
    # If you want to redownload a blocklist you must first delete
    # /var/lib/csf/csf.block.NAME and then restart csf and then lfd
    #
    # Each URL is scanned for an IPv4/CIDR address per line and if found is blocked
    
    # Spamhaus Don't Route Or Peer List (DROP)
    # Details: http://www.spamhaus.org/drop/
    #SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso
    
    # Spamhaus Extended DROP List (EDROP)
    # Details: http://www.spamhaus.org/drop/
    #SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso
    
    # DShield.org Recommended Block List
    # Details: http://dshield.org
    #DSHIELD|86400|0|http://www.dshield.org/block.txt
    
    # TOR Exit Nodes List
    # Set URLGET in csf.conf to use LWP as this list uses an SSL connection
    # Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
    #TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4
    
    # Alternative TOR Exit Nodes List
    # Details: http://torstatus.blutmagie.de/
    #ALTTOR|86400|0|http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
    
    # BOGON list
    # Details: http://www.team-cymru.org/Services/Bogons/
    #BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt
    
    # Project Honey Pot Directory of Dictionary Attacker IPs
    # Details: http://www.projecthoneypot.org
    #HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1
    
    # C.I. Army Malicious IP List
    # Details: http://www.ciarmy.com
    #CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt
    
    # BruteForceBlocker IP List
    # Details: http://danger.rulez.sk/index.php/bruteforceblocker/
    #BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php
    
    # OpenBL.org 30 day List
    # Set URLGET in csf.conf to use LWP as this list uses an SSL connection
    # Details: https://www.openbl.org
    #OPENBL|86400|0|https://www.openbl.org/lists/base_30days.txt
    
    # Autoshun Shun List
    # Details: http://www.autoshun.org/
    #AUTOSHUN|86400|0|http://www.autoshun.org/files/shunlist.csv
    
    # MaxMind GeoIP Anonymous Proxies
    # Set URLGET in csf.conf to use LWP as this list uses an SSL connection
    # Details: https://www.maxmind.com/en/anonymous_proxies
    #MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies
    
    # Blocklist.de
    # Set URLGET in csf.conf to use LWP as this list uses an SSL connection
    # Details: https://www.blocklist.de
    # This first list only retrieves the IP addresses added in the last hour
    #BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600
    # This second list retrieves all the IP addresses added in the last 48 hours
    # and is usually a very large list (over 10000 entries), so be sure that you
    # have the resources available to use it
    #BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt

    4. double check if ip is set in /etc/csf/csf.ignore
    Code:
    ###############################################################################
    # Copyright 2006-2015, Way to the Web Limited
    # URL: http://www.configserver.com
    # Email: sales@waytotheweb.com
    ###############################################################################
    # The following IP addresses will be ignored by all lfd checks
    # One IP address per line
    # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
    # Only list IP addresses, not domain names (they will be ignored)
    #
    
    127.0.0.1
     
  4. Jake

    Jake Member

    76
    10
    8
    Feb 3, 2015
    Ratings:
    +11
    Local Time:
    8:17 AM
    NA
    Maria DB 5.5
    I double checked its def not in the deny list,
    2) Doing 2. Use csf -g to grep your ip to make sure for instance checking ip myip
    returns nothing
    3)3. have you manually enabled any of the /etc/csf/csf.blocklists
    Nope, also have the ipadress in ignore, so when I check grep in the LFD it shows abunch of ignored IP addresses from SSH
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    8:17 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    what's the exact symptoms you get that make you think it's banning you ?

    what can you access on desktop ? anything ? SSH into server ? if you can SSH in but can't view site it could be block at nginx server level ? can you access any other site on your server ? i.e. the main hostname ?
     
  6. Jake

    Jake Member

    76
    10
    8
    Feb 3, 2015
    Ratings:
    +11
    Local Time:
    8:17 AM
    NA
    Maria DB 5.5
    What I do, I am just simply viewing the main page, when I click to go somewhere else I get the generic "Cant connect" on the browser, I then attempt to open up SSH via putty, doesnt work, then I attempt ssh via filezilla, doesnt connect. But I do the exact thing on my phone, and it works fine! I also ask users in the shoutbox, and they arent experiencing any issues,
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    8:17 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    who's your web host ? maybe they have a firewall level above your server ?

    you can also grep all your server logs for you ip to see if any show the ip

    Code:
    grep -Ro youripaddress /var/log/*
     
  8. Jake

    Jake Member

    76
    10
    8
    Feb 3, 2015
    Ratings:
    +11
    Local Time:
    8:17 AM
    NA
    Maria DB 5.5
    Its Linode.
     
  9. Jake

    Jake Member

    76
    10
    8
    Feb 3, 2015
    Ratings:
    +11
    Local Time:
    8:17 AM
    NA
    Maria DB 5.5
    Code:
    grep -Ro youripaddress /var/log/*
    I did that and got a ton of stuff with my IP, what am I looking for?
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    8:17 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    to narrow it down far left should show the filename of the log in /var/log/filename

    this will only print far left file name

    Code:
    grep -Ro youripaddress /var/log/* | awk -F ":" '{print $1}' | uniq
    what's the filename that is outputted
     
  11. AlekseY

    AlekseY Member

    47
    4
    8
    Feb 18, 2015
    Ratings:
    +7
    Local Time:
    1:17 AM
    If you changed the ssh port, you must add it to the trusted
     
  12. eva2000

    eva2000 Administrator Staff Member

    53,530
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    8:17 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, if you change SSHD port via centmin.sh menu option 16, it will auto add the new SSHD port to csf trusted ports list for TCP_IN

    menu option 16 will prompt first for default SSHD port currently used i.e. 22 and then prompt for new SSHD port you want to use.

    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.07 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu                 
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2, 5.5, 10 Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Re-install ImageMagick PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2,p7zip etc
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Exit
    --------------------------------------------------------
    Enter option [ 1 - 22 ]
    --------------------------------------------------------