Welcome to Centmin Mod Community
Become a Member

CSF CSF Firewall info

Discussion in 'Other Centmin Mod Installed software' started by eva2000, May 25, 2014.

  1. Razib Hasan

    Razib Hasan Member

    37
    15
    8
    May 31, 2014
    Dhaka, Bangladesh
    Ratings:
    +15
    Local Time:
    7:54 AM
    1.7.6
    5.10
    Thanks @eva2000 ,
    Submitting a ticket to RamNode right now. Btw, this is the BW graph right now (taken from NewRelic monitoring)


    [​IMG]
     
  2. Razib Hasan

    Razib Hasan Member

    37
    15
    8
    May 31, 2014
    Dhaka, Bangladesh
    Ratings:
    +15
    Local Time:
    7:54 AM
    1.7.6
    5.10
    Thanks @RoldanLT ... SSH port has been changed when I set up the VPS :)
     
  3. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:54 AM
    Mainline
    10.2
    Just change my ssh port below 1024.
     
  4. Liam W

    Liam W Member

    62
    17
    8
    Jun 26, 2014
    United Kingdom
    Ratings:
    +22
    Local Time:
    2:54 AM
    nginx
    10.3.x
    And for the unlucky of us that don't have static IP's? How do we allow all IP's?

    Liam
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    google-fu How to allow dynamic dns in csf

    FYI
    • csf.dyndns = /etc/csf/csf.dyndns
    • csf.conf = /etc/csf/csf.conf

    noip.com and dnsexit.com are 2 dynamic dns providers you can use
     
    Last edited: Feb 7, 2015
  6. Liam W

    Liam W Member

    62
    17
    8
    Jun 26, 2014
    United Kingdom
    Ratings:
    +22
    Local Time:
    2:54 AM
    nginx
    10.3.x
    I use multiple different computers/mobile devices with multiple different IP's... How do I make it so that an IP doesn't have to be whitelisted to access SSH, like I have on my current servers?

    My IP changes every time my phone disconnects. I use my mobile tether for a general internet connection... I don't have a choice.

    Liam
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    probably need to find a dynamic dns provider i.e. noip.com that has a client app for pc, mobile, tablet devices ? i.e. for Android Dynamic DNS client - Android Apps on Google Play or No-IP client - Android Apps on Google Play

    Or get a VPN and connect through that. Alot of VPN providers have client apps for mobile and desktop too. Added security :)

    Or setup your own VPN server with VPS server i.e. use OpenVPN or something. I use OpenVPN on Brisbane and USA VPS so I have 2 dedicated IPs as well as all my mobile/wireless devices only ever access the internet via the OpenVPN mobile/tablet client (Android).
     
    Last edited: Feb 7, 2015
  8. Liam W

    Liam W Member

    62
    17
    8
    Jun 26, 2014
    United Kingdom
    Ratings:
    +22
    Local Time:
    2:54 AM
    nginx
    10.3.x
    So you're saying there's no way to configure CSF to allow all IPs?

    I do have a VPN associated with another VPS of mine... (I use it for Netflix & to bypass my mobile networks annoying content block). It's just an annoying faf though.

    Oh well.

    Liam
     
  9. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Well you can whitelist the entire ip range for your ISP(s)

    i.e. for ip 174.36.202.235 according to http://whois.domaintools.com/174.36.202.235 CIDR range is 174.36.0.0/15 or for 174.36.202.232 - 174.36.202.235 is CIDR 174.36.202.232/30

    so whitelist those

    Code:
    csf -a 174.36.0.0/15
    or
    Code:
    csf -a 174.36.202.232/30
    probably can find your provider's name at IPv4 Address Space report | Overview of all IPv4 subnets and IP addresses available. and see all there ip ranges
     
  10. Liam W

    Liam W Member

    62
    17
    8
    Jun 26, 2014
    United Kingdom
    Ratings:
    +22
    Local Time:
    2:54 AM
    nginx
    10.3.x
    I just have a really bad feeling that I'm going to get locked out at some point in the very near future...

    At least my host provides VNC access...

    Liam
     
  11. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    whitelist your VPN ips to your servers as a backup and if you have more than one VPS/Server, whitelist their ips with each other, so you can SSH into any VPS from other VPS you have access to :)

    alternative to noip.com = DNSExit Free Dynamic DNS services for Dynamic IP
     
    Last edited: Feb 7, 2015
  12. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    @Liam W

    How to set dynamic dns hostname on DNSExit for CSF Whitelisting



    Very easy indeed to do :D

    step 1. Sign up for free dynamic dns subdomain hostname with DNSExit Free Dynamic DNS services for Dynamic IP i.e. yourhostname.publicvm.com

    step 2. Log into your VPS or dedicated servers and on SSH command line type the following lines. Remember to change the first DYNDNSHOST variable to your own hostname created from step 1 above.

    Code:
    DYNDNSHOST=yourhostname.publicvm.com
    
    Once changed, type the following in SSH window as root user
    Code:
    DYNDNSHOST=yourhostname.publicvm.com
    echo "$DYNDNSHOST" >> /etc/csf/csf.dyndns;
    sed -i 's/DYNDNS = \"0\"/DYNDNS = \"300\"/' /etc/csf/csf.conf;
    sed -i 's/DYNDNS_IGNORE = \"0\"/DYNDNS_IGNORE = \"1\"/' /etc/csf/csf.conf;
    csf -r;
    egrep '^DYNDNS|^DYNDNS_IGNORE' /etc/csf/csf.conf;
    tail -2 /etc/csf/csf.dyndns;
    
    Note, Centmin Mod .08 beta has been updated already with DYNDNS=300 and DYNDNS_IGNORE=1 settings for csf.conf

    step 3. Download and install DNS Update client from Dynamic DNS IP Update Clients - ipUpdaters on your local PC so it auto updates your dynamically assigned IP address from your ISP. DNSExit also offer url API to update the IP manually too.

     
  14. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:54 AM
    Mainline
    10.2
    By the way, Cloudflalre updated their list of IPV4 IP.
     
  15. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  16. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:54 AM
    Mainline
    10.2
    By the way, how to reset csf.conf config to the default value?
    And issuing this command give me an error:
     
  17. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    no way to set to csf defaults, as Centmin Mod overrides those defaults. I suppose, I can add in backup original csf.conf before modifying it for .08 beta

    as to error for xt_connlimit module kernel support is configured at VPS host level - so you need for your web host to enable or configure it at host level i.e. OpenVZ VPS is common one for not having it configured for some web hosts at OpenVZ host node level. Hence, another reason I prefer KVM or Xen based VPSes ;)
     
  18. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    ah ha I was smart enough to do that in inc/csfinstall.inc line 29 has a backup of original csf.conf BEFORE any centmin mod tweaks were done :)

    backup original csf.conf before Centmin Mod tweaks /etc/csf/csf.conf-bak
    Code:
    cp -a /etc/csf/csf.conf /etc/csf/csf.conf-bak
     
  19. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    9:54 AM
    Mainline
    10.2
    It was Linode :)
    I'm sure that non OpenVZ.
     
  20. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    11:54 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    well conn tracking isn't enabled on linode so xt_connlimit isn't needed AFAIK

    so error from perl /usr/local/csf/bin/csftest.pl can be ignored

    edit: okay according to xt_connlimit error CSF | mickeylee.co.uk Linode's custom kernels have built in support for xt_connlimit, so it isn't loaded as a module, so CSF test is a false error.
     
    Last edited: Apr 30, 2015