Join the community today
Register Now

Firewall CSF issue

Discussion in 'System Administration' started by Andy, Aug 7, 2015.

  1. Andy

    Andy Active Member

    Aug 6, 2014
    Local Time:
    5:58 AM
    So I got a backupsy server to backup my data.
    When i setup a password-less ssh login from the backupsy server to the main server using this command
    sudo ssh-copy-id -i /root/.ssh/

    Somehow I messed up the step where I enter the password for the main server. As a result, I can no loger ping the main server from backupsy and I can't ping the backupsy IP from the main server.

    It looks like they both block each other IP. I search on the main server for the IP of the backupsy but nothing comes up

    csf -g xxx.ip.of.backupsy
    grep xxx.ip.of.backupsy /var/log/lfd.log


    Any idea where else can i check?
  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    7:58 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    how did you mess up ? error messages ? specifics :)

    so you were able to ping both servers respectively before ?

    did you change SSHD ports anytime between the process for either or both servers ?

    grep /var/log/messages for your server's IP addresses on both servers see if they are in fact blocked

    see csf help file
    csf -h
    csf: v8.03 (generic)
    csf(1)                                                                  csf(1)
           csf - ConfigServer & Security Firewall
           csf [OPTIONS]
           This manual documents the csf command line options for the ConfigServer
           & Security Firewall. See /etc/csf/csf.conf and /etc/csf/readme.txt  for
           more detailed information on how to use and configure this application.
           -h,  --help
                  Show this message
           -l,  --status
                  List/Show the IPv4 iptables configuration
           -l6, --status6
                  List/Show the IPv6 ip6tables configuration
           -s,  --start
                  Start the firewall rules
           -f,  --stop
                  Flush/Stop firewall rules (Note: lfd may restart csf)
           -r,  --restart
                  Restart firewall rules (csf)
           -q,  --startq
                  Quick restart (csf restarted by lfd)
           -sf, --startf
                  Force CLI restart regardless of LFDSTART setting
           -ra, --restartall
                  Restart firewall rules (csf) and then restart lfd  daemon.  Both
                  csf and then lfd should be restarted after making any changes to
                  the configuration files
           --lfd [stop|start|restart|status]
                  Actions to take with the lfd daemon
           -a,  --add ip [comment]
                  Allow an IP and add to /etc/csf/csf.allow
           -ar, --addrm ip
                  Remove an IP from /etc/csf/csf.allow and delete rule
           -d,  --deny ip [comment]
                  Deny an IP and add to /etc/csf/csf.deny
           -dr, --denyrm ip
                  Unblock an IP and remove from /etc/csf/csf.deny
           -df, --denyf
                  Remove and unblock all entries in /etc/csf/csf.deny
           -g,  --grep ip
                  Search the iptables and ip6tables rules for a  match  (e.g.  IP,
                  CIDR, Port Number)
           -i,  --iplookup ip
                  Lookup IP address geographical information using CC_LOOKUPS set-
                  ting in /etc/csf/csf.conf
           -t,  --temp
                  Displays the current list of temporary allow and deny IP entries
                  with their TTL and comment
           -tr, --temprm ip
                  Remove an IP from the temporary IP ban or allow list
           -td, --tempdeny ip ttl [-p port] [-d direction] [comment]
                  Add an IP to the temp IP ban list. ttl is how long to blocks for
                  (default:seconds, can use one suffix of h/m/d).  Optional  port.
                  Optional  direction  of  block  can  be one of: in, out or inout
           -ta, --tempallow ip ttl [-p port] [-d direction] [comment]
                  Add an IP to the temp IP allow list (default:inout)
           -tf, --tempf
                  Flush all IPs from the temporary IP entries
           -cp, --cping
                  PING all members in an lfd Cluster
           -cd, --cdeny ip
                  Deny an IP in a Cluster and add to /etc/csf/csf.deny
           -ca, --callow ip
                  Allow an IP in a Cluster and add to /etc/csf/csf.allow
           -car, --carm ip
                  Remove   allowed   IP   in   a   Cluster   and    remove    from
           -cr, --crm ip
                  Unblock an IP in a Cluster and remove from /etc/csf/csf.deny
           -cc, --cconfig [name] [value]
                  Change configuration option [name] to [value] in a Cluster
           -cf, --cfile [file]
                  Send [file] in a Cluster to /etc/csf/
           -crs, --crestart
                  Cluster restart csf and lfd
           -w,  --watch ip
                  Log SYN packets for an IP across iptables chains
           -m,  --mail [email]
                  Display Server Check in HTML or email to [email] if present
           -lr, --logrun
                  Initiate Log Scanner report via lfd
           -p, --ports
                  View ports on the server that have a running process behind them
                  listening for external connections
           --graphs [graph type] [directory]
                  Generate System Statistics html pages and  images  for  a  given
                  graph  type  into  a given directory. See ST_SYSTEM for require-
           --profile [command] [profile|backup] [profile|backup]
                  Configuration profile functions for /etc/csf/csf.conf
                  You can create your own profiles using the examples provided  in
                  The  profile  reset_to_defaults.conf  is a special case and will
                  always be the latest default csf.conf
                  Lists available profiles and backups
                  apply [profile]
                  Modify csf.conf with Configuration Profile
                  backup "name"
                  Create Configuration  Backup  with  optional  "name"  stored  in
                  restore [backup]
                  Restore a Configuration Backup
                  keep [num]
                  Remove old Configuration Backups and keep the latest [num]
                  diff [profile|backup] [profile|backup]
                  Report  differences between Configuration Profiles or Configura-
                  tion Backups, only specify one [profile|backup]  to  compare  to
                  the current Configuration
           -c,  --check
                  Check for updates to csf but do not upgrade
           -u,  --update
                  Check for updates to csf and upgrade if available
           -uf    Force an update of csf whether and upgrade is required or not
           -x,  --disable
                  Disable csf and lfd completely
           -e,  --enable
                  Enable csf and lfd if previously disabled
           -v,  --version
                  Show csf version
    try these

           -dr, --denyrm ip
                  Unblock an IP and remove from /etc/csf/csf.deny
           -tr, --temprm ip
                  Remove an IP from the temporary IP ban or allow list
    csf -dr IP
    csf -tr IP