CSF CSF Firewall info

Razib Hasan · Sep 30, 2014

Thanks @eva2000 ,
Submitting a ticket to RamNode right now. Btw, this is the BW graph right now (taken from NewRelic monitoring)

Razib Hasan · Sep 30, 2014

RoldanLT said: ↑

Thru:
#cmdir
#./centmin.sh
16
Click to expand...

Thanks @RoldanLT ... SSH port has been changed when I set up the VPS

RoldanLT · Oct 1, 2014

Just change my ssh port below 1024.

Liam W · Feb 7, 2015

eva2000 said: ↑
oh yes need to allow the ip too via CSF firewall - better security
Code:
csf -a ipaddress
Click to expand...
And for the unlucky of us that don't have static IP's? How do we allow all IP's?

Liam

eva2000 · Feb 7, 2015

Liam W said: ↑

And for the unlucky of us that don't have static IP's? How do we allow all IP's?

Liam
Click to expand...

google-fu How to allow dynamic dns in csf

FYI

csf.dyndns = /etc/csf/csf.dyndns

csf.conf = /etc/csf/csf.conf

If you are using Linux server and have CSF enabled on it, you may wish to allow some dynamic IPs to be whitelisted in CSF for whatever reason may be (if you run a DJ site etc). This can be done by using option "Allow Dynamic DNS IP addresses - always allow your IP address even if it changes whenever you connect to the internet" in CSF.

1) Register at no-ip.com for free dynamic DNS.

2) Setup a hostname and point hostname to the static or dynamic IP. (it will take your current IP)

3) Install the client side software of no-ip on the local machine and configure the software to connect the hostname at your no-ip account

4) Open the file "csf.dyndns" present on your server and add the hostname of your no-ip account.

5) Open the file "csf.conf" present on your server and set DYNDNS = "300" which would would check for IP updates every 5 minutes

6) Open the file "csf.conf" present on your server and set DYNDNS_IGNORE = "1" to always ignore DYNDNS IP addresses in lfd blocking

7) Restart the firewall

Now whenever client is running no-ip software on local machine and his local machine IP gets change, its updated at no-ip server and CSF checks for the updates at no-ip server.
Click to expand...

noip.com and dnsexit.com are 2 dynamic dns providers you can use

Liam W · Feb 7, 2015

I use multiple different computers/mobile devices with multiple different IP's... How do I make it so that an IP doesn't have to be whitelisted to access SSH, like I have on my current servers?

My IP changes every time my phone disconnects. I use my mobile tether for a general internet connection... I don't have a choice.

Liam

eva2000 · Feb 7, 2015

probably need to find a dynamic dns provider i.e. noip.com that has a client app for pc, mobile, tablet devices ? i.e. for Android Dynamic DNS client - Android Apps on Google Play or No-IP client - Android Apps on Google Play

Or get a VPN and connect through that. Alot of VPN providers have client apps for mobile and desktop too. Added security

Or setup your own VPN server with VPS server i.e. use OpenVPN or something. I use OpenVPN on Brisbane and USA VPS so I have 2 dedicated IPs as well as all my mobile/wireless devices only ever access the internet via the OpenVPN mobile/tablet client (Android).

Liam W · Feb 7, 2015

So you're saying there's no way to configure CSF to allow all IPs?

I do have a VPN associated with another VPS of mine... (I use it for Netflix & to bypass my mobile networks annoying content block). It's just an annoying faf though.

Oh well.

Liam

eva2000 · Feb 7, 2015

Liam W said: ↑

So you're saying there's no way to configure CSF to allow all IPs?

I do have a VPN associated with another VPS of mine... (I use it for Netflix & to bypass my mobile networks annoying content block). It's just an annoying faf though.

Oh well.

Liam
Click to expand...

Well you can whitelist the entire ip range for your ISP(s)

i.e. for ip 174.36.202.235 according to http://whois.domaintools.com/174.36.202.235 CIDR range is 174.36.0.0/15 or for 174.36.202.232 - 174.36.202.235 is CIDR 174.36.202.232/30

so whitelist those
Code:
csf -a 174.36.0.0/15
or
Code:
csf -a 174.36.202.232/30
probably can find your provider's name at IPv4 Address Space report | Overview of all IPv4 subnets and IP addresses available. and see all there ip ranges

Liam W · Feb 7, 2015

I just have a really bad feeling that I'm going to get locked out at some point in the very near future...

At least my host provides VNC access...

Liam

eva2000 · Feb 7, 2015

whitelist your VPN ips to your servers as a backup and if you have more than one VPS/Server, whitelist their ips with each other, so you can SSH into any VPS from other VPS you have access to

alternative to noip.com = DNSExit Free Dynamic DNS services for Dynamic IP

eva2000 · Feb 7, 2015

@Liam W moved posts to the dedicated CSF Firewall thread

Also might want to check out @Guilherme Jaccoud 's cloudflare solution for dynamic IP whitelisting in CSF CSF block all except csf.dyndns | Centmin Mod Community

eva2000 · Feb 7, 2015

@Liam W

How to set dynamic dns hostname on DNSExit for CSF Whitelisting

Very easy indeed to do

step 1. Sign up for free dynamic dns subdomain hostname with DNSExit Free Dynamic DNS services for Dynamic IP i.e. yourhostname.publicvm.com

step 2. Log into your VPS or dedicated servers and on SSH command line type the following lines. Remember to change the first DYNDNSHOST variable to your own hostname created from step 1 above.
Code:
DYNDNSHOST=yourhostname.publicvm.com
Once changed, type the following in SSH window as root user
Code:
DYNDNSHOST=yourhostname.publicvm.com
echo "$DYNDNSHOST" >> /etc/csf/csf.dyndns;
sed -i 's/DYNDNS = \"0\"/DYNDNS = \"300\"/' /etc/csf/csf.conf;
sed -i 's/DYNDNS_IGNORE = \"0\"/DYNDNS_IGNORE = \"1\"/' /etc/csf/csf.conf;
csf -r;
egrep '^DYNDNS|^DYNDNS_IGNORE' /etc/csf/csf.conf;
tail -2 /etc/csf/csf.dyndns;
Note, Centmin Mod .08 beta has been updated already with DYNDNS=300 and DYNDNS_IGNORE=1 settings for csf.conf

step 3. Download and install DNS Update client from Dynamic DNS IP Update Clients - ipUpdaters on your local PC so it auto updates your dynamically assigned IP address from your ISP. DNSExit also offer url API to update the IP manually too.

We also provide you a URL that you can use to update your domain/subdomain IP from any internet connection, anywhere. This means that if you do not have one of the automatic update clients you can still perform painless updates to your subdomain IP by posting the following URL on a browser:

http://update.dnsexit.com/RemoteUpdate.sv?login=yourlogin&password=yourpassword&host=yourhost.yourdomain.com&myip=xxx.xx.xx.xxx

replacing the form values with your own account and domain data.

myip is optional. If not set, the IP address of your network will be detected and used as the IP for the host(subdomain).

host can have multiple hosts(subdomains) updated at the same time by seperating each host by ;. ie. host=host1.mydomain.com;host2.otherdomain.com.

password is the password for your web login. However, it is recommended that you setup a dynamic IP update password that is different from your web login password. You can login to your account, then go to "Account Profile" -> "IP Update Password" to setup dynamic IP update password.

Click to expand...

RoldanLT · Apr 29, 2015

By the way, Cloudflalre updated their list of IPV4 IP.

eva2000 · Apr 29, 2015

RoldanLT said: ↑

By the way, Cloudflalre updated their list of IPV4 IP.
Click to expand...

cheers updated list at CSF Firewall - Centmin Mod - Menu based Nginx installer for CentOS servers

RoldanLT · Apr 29, 2015

By the way, how to reset csf.conf config to the default value?
And issuing this command give me an error:

# perl /usr/local/csf/bin/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Protocol wrong type for socket.] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf will function on this server but some features will not work due to some missing iptables modules [1]
Click to expand...

eva2000 · Apr 29, 2015

no way to set to csf defaults, as Centmin Mod overrides those defaults. I suppose, I can add in backup original csf.conf before modifying it for .08 beta

as to error for xt_connlimit module kernel support is configured at VPS host level - so you need for your web host to enable or configure it at host level i.e. OpenVZ VPS is common one for not having it configured for some web hosts at OpenVZ host node level. Hence, another reason I prefer KVM or Xen based VPSes

eva2000 · Apr 29, 2015

eva2000 said: ↑

no way to set to csf defaults, as Centmin Mod overrides those defaults. I suppose, I can add in backup original csf.conf before modifying it for .08 beta
Click to expand...

ah ha I was smart enough to do that in inc/csfinstall.inc line 29 has a backup of original csf.conf BEFORE any centmin mod tweaks were done

backup original csf.conf before Centmin Mod tweaks /etc/csf/csf.conf-bak
Code:
cp -a /etc/csf/csf.conf /etc/csf/csf.conf-bak

RoldanLT · Apr 30, 2015

eva2000 said: ↑

as to error for xt_connlimit module kernel support is configured at VPS host level - so you need for your web host to enable or configure it at host level i.e. OpenVZ VPS is common one for not having it configured for some web hosts at OpenVZ host node level. Hence, another reason I prefer KVM or Xen based VPSes
Click to expand...

It was Linode
I'm sure that non OpenVZ.

eva2000 · Apr 30, 2015

well conn tracking isn't enabled on linode so xt_connlimit isn't needed AFAIK

so error from perl /usr/local/csf/bin/csftest.pl can be ignored

edit: okay according to xt_connlimit error CSF | mickeylee.co.uk Linode's custom kernels have built in support for xt_connlimit, so it isn't loaded as a module, so CSF test is a false error.

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

CSF CSF Firewall info

Razib Hasan Premium Member Premium Member

Razib Hasan Premium Member Premium Member

RoldanLT Well-Known Member

Liam W Member

eva2000 Administrator Staff Member

Liam W Member

eva2000 Administrator Staff Member

Liam W Member

eva2000 Administrator Staff Member

Liam W Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

How to set dynamic dns hostname on DNSExit for CSF Whitelisting

RoldanLT Well-Known Member

eva2000 Administrator Staff Member

RoldanLT Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

RoldanLT Well-Known Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

CSF CSF Firewall info

Razib Hasan Premium Member Premium Member

Razib Hasan Premium Member Premium Member

RoldanLT Well-Known Member

Liam W Member

eva2000 Administrator Staff Member

Liam W Member

eva2000 Administrator Staff Member

Liam W Member

eva2000 Administrator Staff Member

Liam W Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

How to set dynamic dns hostname on DNSExit for CSF Whitelisting

RoldanLT Well-Known Member

eva2000 Administrator Staff Member

RoldanLT Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

RoldanLT Well-Known Member

eva2000 Administrator Staff Member

.