Get the most out of your Centmin Mod LEMP stack
Become a Member

CSF CSF Firewall info

Discussion in 'Other Centmin Mod Installed software' started by eva2000, May 25, 2014.

  1. Razib Hasan

    Razib Hasan Member

    31
    11
    8
    May 31, 2014
    Dhaka, Bangladesh
    Ratings:
    +11
    Local Time:
    11:15 PM
    1.7.6
    5.10
    Thanks @eva2000 ,
    Submitting a ticket to RamNode right now. Btw, this is the BW graph right now (taken from NewRelic monitoring)

    [​IMG]
     
  2. Razib Hasan

    Razib Hasan Member

    31
    11
    8
    May 31, 2014
    Dhaka, Bangladesh
    Ratings:
    +11
    Local Time:
    11:15 PM
    1.7.6
    5.10
    Thanks @RoldanLT ... SSH port has been changed when I set up the VPS :)
     
  3. RoldanLT

    RoldanLT Well-Known Member

    3,930
    960
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,311
    Local Time:
    1:15 AM
    1.11
    10.2
    Just change my ssh port below 1024.
     
  4. Liam W

    Liam W Member

    57
    16
    8
    Jun 26, 2014
    Barrow-in-Furness, Cumbria, England
    Ratings:
    +20
    Local Time:
    5:15 PM
    nginx/1.9.11
    10.1.11
    And for the unlucky of us that don't have static IP's? How do we allow all IP's?

    Liam
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    google-fu How to allow dynamic dns in csf

    FYI
    • csf.dyndns = /etc/csf/csf.dyndns
    • csf.conf = /etc/csf/csf.conf

    noip.com and dnsexit.com are 2 dynamic dns providers you can use
     
    Last edited: Feb 7, 2015
    • Like Like x 1
  6. Liam W

    Liam W Member

    57
    16
    8
    Jun 26, 2014
    Barrow-in-Furness, Cumbria, England
    Ratings:
    +20
    Local Time:
    5:15 PM
    nginx/1.9.11
    10.1.11
    I use multiple different computers/mobile devices with multiple different IP's... How do I make it so that an IP doesn't have to be whitelisted to access SSH, like I have on my current servers?

    My IP changes every time my phone disconnects. I use my mobile tether for a general internet connection... I don't have a choice.

    Liam
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    probably need to find a dynamic dns provider i.e. noip.com that has a client app for pc, mobile, tablet devices ? i.e. for Android Dynamic DNS client - Android Apps on Google Play or No-IP client - Android Apps on Google Play

    Or get a VPN and connect through that. Alot of VPN providers have client apps for mobile and desktop too. Added security :)

    Or setup your own VPN server with VPS server i.e. use OpenVPN or something. I use OpenVPN on Brisbane and USA VPS so I have 2 dedicated IPs as well as all my mobile/wireless devices only ever access the internet via the OpenVPN mobile/tablet client (Android).
     
    Last edited: Feb 7, 2015
  8. Liam W

    Liam W Member

    57
    16
    8
    Jun 26, 2014
    Barrow-in-Furness, Cumbria, England
    Ratings:
    +20
    Local Time:
    5:15 PM
    nginx/1.9.11
    10.1.11
    So you're saying there's no way to configure CSF to allow all IPs?

    I do have a VPN associated with another VPS of mine... (I use it for Netflix & to bypass my mobile networks annoying content block). It's just an annoying faf though.

    Oh well.

    Liam
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    Well you can whitelist the entire ip range for your ISP(s)

    i.e. for ip 174.36.202.235 according to http://whois.domaintools.com/174.36.202.235 CIDR range is 174.36.0.0/15 or for 174.36.202.232 - 174.36.202.235 is CIDR 174.36.202.232/30

    so whitelist those

    Code:
    csf -a 174.36.0.0/15
    or
    Code:
    csf -a 174.36.202.232/30
    probably can find your provider's name at IPv4 Address Space report | Overview of all IPv4 subnets and IP addresses available. and see all there ip ranges
     
    • Like Like x 1
  10. Liam W

    Liam W Member

    57
    16
    8
    Jun 26, 2014
    Barrow-in-Furness, Cumbria, England
    Ratings:
    +20
    Local Time:
    5:15 PM
    nginx/1.9.11
    10.1.11
    I just have a really bad feeling that I'm going to get locked out at some point in the very near future...

    At least my host provides VNC access...

    Liam
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    whitelist your VPN ips to your servers as a backup and if you have more than one VPS/Server, whitelist their ips with each other, so you can SSH into any VPS from other VPS you have access to :)

    alternative to noip.com = DNSExit Free Dynamic DNS services for Dynamic IP
     
    Last edited: Feb 7, 2015
  12. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
  13. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    @Liam W

    How to set dynamic dns hostname on DNSExit for CSF Whitelisting



    Very easy indeed to do :D

    step 1. Sign up for free dynamic dns subdomain hostname with DNSExit Free Dynamic DNS services for Dynamic IP i.e. yourhostname.publicvm.com

    step 2. Log into your VPS or dedicated servers and on SSH command line type the following lines. Remember to change the first DYNDNSHOST variable to your own hostname created from step 1 above.

    Code:
    DYNDNSHOST=yourhostname.publicvm.com
    
    Once changed, type the following in SSH window as root user
    Code:
    DYNDNSHOST=yourhostname.publicvm.com
    echo "$DYNDNSHOST" >> /etc/csf/csf.dyndns;
    sed -i 's/DYNDNS = \"0\"/DYNDNS = \"300\"/' /etc/csf/csf.conf;
    sed -i 's/DYNDNS_IGNORE = \"0\"/DYNDNS_IGNORE = \"1\"/' /etc/csf/csf.conf;
    csf -r;
    egrep '^DYNDNS|^DYNDNS_IGNORE' /etc/csf/csf.conf;
    tail -2 /etc/csf/csf.dyndns;
    
    Note, Centmin Mod .08 beta has been updated already with DYNDNS=300 and DYNDNS_IGNORE=1 settings for csf.conf

    step 3. Download and install DNS Update client from Dynamic DNS IP Update Clients - ipUpdaters on your local PC so it auto updates your dynamically assigned IP address from your ISP. DNSExit also offer url API to update the IP manually too.

     
    • Like Like x 1
  14. RoldanLT

    RoldanLT Well-Known Member

    3,930
    960
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,311
    Local Time:
    1:15 AM
    1.11
    10.2
    By the way, Cloudflalre updated their list of IPV4 IP.
     
    • Informative Informative x 1
  15. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    • Like Like x 1
  16. RoldanLT

    RoldanLT Well-Known Member

    3,930
    960
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,311
    Local Time:
    1:15 AM
    1.11
    10.2
    By the way, how to reset csf.conf config to the default value?
    And issuing this command give me an error:
     
  17. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    no way to set to csf defaults, as Centmin Mod overrides those defaults. I suppose, I can add in backup original csf.conf before modifying it for .08 beta

    as to error for xt_connlimit module kernel support is configured at VPS host level - so you need for your web host to enable or configure it at host level i.e. OpenVZ VPS is common one for not having it configured for some web hosts at OpenVZ host node level. Hence, another reason I prefer KVM or Xen based VPSes ;)
     
  18. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    ah ha I was smart enough to do that in inc/csfinstall.inc line 29 has a backup of original csf.conf BEFORE any centmin mod tweaks were done :)

    backup original csf.conf before Centmin Mod tweaks /etc/csf/csf.conf-bak
    Code:
    cp -a /etc/csf/csf.conf /etc/csf/csf.conf-bak
     
  19. RoldanLT

    RoldanLT Well-Known Member

    3,930
    960
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,311
    Local Time:
    1:15 AM
    1.11
    10.2
    It was Linode :)
    I'm sure that non OpenVZ.
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    well conn tracking isn't enabled on linode so xt_connlimit isn't needed AFAIK

    so error from perl /usr/local/csf/bin/csftest.pl can be ignored

    edit: okay according to xt_connlimit error CSF | mickeylee.co.uk Linode's custom kernels have built in support for xt_connlimit, so it isn't loaded as a module, so CSF test is a false error.
     
    Last edited: Apr 30, 2015