Welcome to Centmin Mod Community
Become a Member

Sysadmin Csf firewall doesn't block ip

Discussion in 'System Administration' started by pamamolf, Aug 13, 2016.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hi

    I just got a booter to test the attack on my server :)

    When the attack start on the server i can see easily the new ip with 12 connections that is from the booter :)

    Then i add the ip to:

    Code:
    /etc/csf/csf.deny
    and then i run csf -r

    but the ip was not blocked and continue to attack the server :(

    Am i doing it in the wrong way?

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    On the tutorial says:

    confused :(

    =============
    Deny banning IPs:
    =============

    CSF Firewall can ban or deny ip addresses using SSH telnet and command where xxx.xxx.xxx.xxx is IP address:

    csf -d xxx.xxx.xxx.xxx

    Or you can edit allow list at /etc/csf/csf.deny
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yeah you can edit but cmd line is easier :)
     
  5. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Yes but the ip is not banned :(

    The ip is still hitting the server....don't know why but it seems to not kill the active connection....

    After banning the ip i check again for ip's with more connections on the server and is there :(
     
  6. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    2:03 PM
    Nginx 1.17.9
    MariaDB 10.3.22
    Did you restart csf?
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Aug 13, 2016
  8. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    @Sunka
    Yes i did with the csf -r command...

    @eva2000
    Ok i will check again :)
     
  9. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    I just try it with:

    Code:
    csf -d xxx.xxx.xxx.xxx
    i didn't restart csf as i think not needed to start blocking the ip and then i check the /etc/csf/csf.deny file and the entry is there but commented with # in front :(
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    that's weird if you uncomment the entry does it block ?
     
  11. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    I remove the # from in front and then i restart csf -r and then i was able to browse without any issues the forum and connect using ssh and so on....and that's related to my first post here :(
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    tried updating csf manually ?
    Code (Text):
    csf -u
    csf is already at the latest version: v9.11
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    also run csftest.pl to make sure your server has all the required modules etc
    Code (Text):
    /etc/csf/csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK
    
    RESULT: csf should function on this server
     
  14. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    No i never run anything related to csf firewall....

    Code:
    [root@server ~]# csf -u
    csf is already at the latest version: v9.11
    and:

    Code:
    [root@server ~]# /etc/csf/csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK
    
    RESULT: csf should function on this server
     
    Last edited: Aug 20, 2016
  15. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Maybe fail2ban break something?

    It is the only firewall related that i did.....i just install it and not try it yet....

    But does the installation can take over the csf ability to ban?Don't think so....
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    where are you looking to see that the ip being blocked is still being logged attacking the server ?

    if you're behind a proxy like cloudflare etc you could have incorrectly setup realip detection and even so, iptables and csf firewall won't work then as they can't see the realip so blocking needs to be done from proxy front end i.e. cloudflare
     
  17. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    I use a vpn connection and go to whatismyip (using Chrome) and then i got the ip and ban it using csf -d iphere then just to be sure i run csf -r and then i restart the browser and try to surf at the forum on the server that i was ban the ip and i was able to browse all posts without any issues :(

    Then i double check my ip at whatismyip and it was the correct one that i was ban....
     
  18. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  19. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    3:03 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    Can you test it on a Centminmod test server of yours and see if you have also that issue ?

    Never had any issues with csf firewall....don't know why now it can't ban an ip...
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,548
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    11:03 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    works fine for me test temp block of ip from tcp in port 22 for 60 seconds only
    Code (Text):
    csf -td ipaddr 60 -p 22 -d in
    DROP  tcp opt -- in !lo out *  ipaddr  -> 0.0.0.0/0   tcp dpt:22
    csf: ipaddr blocked on port 22 for 60 seconds inbound
    

    i couldn't log into sshd for that 60 seconds