CSF Does centminmod limits/restrict Incoming PING/ICMP_IN?

rdan · Apr 9, 2018

Aside from ICMP_IN_RATE on csf.conf?

I have this problem with OVH Dedicated servers when I ping a single Server IP
from several location including my Local Desktop it gets timeout a lot.

OVH Dedicated servers on CA and SGP running CentOS 7.4.
Both just installed last month.

rdan · Apr 9, 2018

I even get several OVH Monitoring Emails per day that trigger the timeout.
Then will be alive again after a minute/few seconds.

But websites running fine.

rdan · Apr 9, 2018

If someone can share their OVH Server IP with Centminmod installed also, It would be great so I can test on that also.

rdan · Apr 9, 2018

I compare some csf.conf, Why is that some has?

# Versions of iptables greater or equal to v1.4.20 should support the --wait
# option. This forces iptables commands that use the option to wait until a
# lock by any other process using iptables completes, rather than simply
# failing
#
# Enabling this feature will add the --wait option to iptables commands
#
# NOTE: The disadvantage of using this option is that any iptables command that
# uses it will hang until the lock is released. This could cause a cascade of
# hung processes trying to issue iptables commands. To try and avoid this issue
# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
# a failure if reached
Click to expand...

WAITLOCK = "1"
or
WAITLOCK = "0"

eva2000 · Apr 9, 2018

RoldanLT said: ↑

Aside from ICMP_IN_RATE on csf.conf?
Click to expand...

only CSF Firewall setting that affects ping inbound rates AFAIK. What's exact ping command you use ? where are you ping from ?

RoldanLT said: ↑

I even get several OVH Monitoring Emails per day that trigger the timeout.
Then will be alive again after a minute/few seconds.

But websites running fine.
Click to expand...

Did you properly whitelist OVH monitoring ips etc as per https://community.centminmod.com/threads/ovh-icmp-ping-whitelist-for-csf-firewall.11427/

RoldanLT said: ↑

I compare some csf.conf, Why is that some has?
Click to expand...

maybe ask on CSF forums https://forum.configserver.com/ ?

ArisC · Apr 9, 2018

The default limit is set to 1/s, meaning one request per second, so if 3 or 6 monitors all ping your server at the same time, then some/most of them will fail due to this limit. Either set it higher than 1/s (which is the default) or set it to 0 to remove the limit completely

rdan · Apr 10, 2018

eva2000 said: ↑

What's exact ping command you use ?
Click to expand...

ping MyIP -t
on my Windows CMD.

eva2000 said: ↑

where are you ping from ?
Click to expand...

My local desktop.

eva2000 said: ↑

Did you properly whitelist OVH monitoring ips etc as per OVH - OVH ICMP Ping Whitelist for CSF Firewall
Click to expand...

Not yet, I'll do it now.

rdan · Apr 10, 2018

grep -i 'ICMP_IN Blocked' /var/log/messages| tail -5| awk '{print $1,$2,$3,$5,$6,$7,$8,$9,$12,$13,$19,$20}'; date
Click to expand...

Yay I can see my IP and some OVH IP being blocked .

rdan · Apr 10, 2018

ArisC said: ↑

The default limit is set to 1/s, meaning one request per second, so if 3 or 6 monitors all ping your server at the same time, then some/most of them will fail due to this limit. Either set it higher than 1/s (which is the default) or set it to 0 to remove the limit completely
Click to expand...

I have set it to 10 per second already, I think that helps.

rdan · Apr 10, 2018

To authorize SSH from our server, type the following rule:

iptables -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
Click to expand...

So I'll change port 22 with my custom ssh port?

eva2000 · Apr 10, 2018

RoldanLT said: ↑

So I'll change port 22 with my custom ssh port?
Click to expand...

yup

rdan · Apr 10, 2018

Anyway we can enable RTM on Centminmod based server?

rdan · Apr 10, 2018

# whereis iptables
iptables: /usr/sbin/iptables /usr/include/iptables /usr/include/iptables.h /usr/libexec/iptables /usr/share/man/man8/iptables.8.gz
Click to expand...

# which iptables
/usr/sbin/iptables
Click to expand...

But your code use /sbin/iptables only, is that fine?

rdan · Apr 10, 2018

I also added UptimeRobot and PingDom IP's to csf.allow and csf.ignore, seems to help.

eva2000 · Apr 10, 2018

RoldanLT said: ↑

Anyway we can enable RTM on Centminmod based server?
Click to expand...

try and see RTM: your server status in real time - OVH

RoldanLT said: ↑

But your code use /sbin/iptables only, is that fine?
Click to expand...

both iptables commands go to same place
Code (Text):
ls -lah /sbin/iptables
lrwxrwxrwx 1 root root 13 Mar 28 03:48 /sbin/iptables -> xtables-multi
Code (Text):
ls -lah /usr/sbin/iptables
lrwxrwxrwx 1 root root 13 Mar 28 03:48 /usr/sbin/iptables -> xtables-multi
Code (Text):
rpm -ql iptables | grep bin
/usr/bin/iptables-xml
/usr/sbin/ip6tables
/usr/sbin/ip6tables-restore
/usr/sbin/ip6tables-save
/usr/sbin/iptables
/usr/sbin/iptables-restore
/usr/sbin/iptables-save
/usr/sbin/xtables-multi

ArisC · Apr 12, 2018

I currently have the same problem with Linode, I have some servers in Vultr default csf and one server on Linode and I'm getting timeouts... Weird.... I'm using hetrixtools

eva2000 · Apr 12, 2018

Well technically you should whitelist your respective owned VPS/servers with each respective CSF Firewall if you want to continuously ping or remotely connect with each other

For monitors you should also whitelist their ips if you have issues some examples outlined at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS

Log in / Register

Forums

Join the community today

CSF Does centminmod limits/restrict Incoming PING/ICMP_IN?

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

ArisC Active Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

ArisC Active Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

CSF Does centminmod limits/restrict Incoming PING/ICMP_IN?

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

ArisC Active Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

rdan Premium Member Premium Member

eva2000 Administrator Staff Member

ArisC Active Member

eva2000 Administrator Staff Member

.