Welcome to Centmin Mod Community
Register Now

Firewall CSF issue

Discussion in 'System Administration' started by Andy, Aug 7, 2015.

  1. Andy

    Andy Premium Member Premium Member

    Aug 6, 2014
    Local Time:
    9:26 PM
    So I got a backupsy server to backup my data.
    When i setup a password-less ssh login from the backupsy server to the main server using this command
    sudo ssh-copy-id -i /root/.ssh/id_rsa.pub root@mainserver.com

    Somehow I messed up the step where I enter the password for the main server. As a result, I can no loger ping the main server from backupsy and I can't ping the backupsy IP from the main server.

    It looks like they both block each other IP. I search on the main server for the IP of the backupsy but nothing comes up

    csf -g xxx.ip.of.backupsy
    grep xxx.ip.of.backupsy /var/log/lfd.log


    Any idea where else can i check?
  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    11:26 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    how did you mess up ? error messages ? specifics :)

    so you were able to ping both servers respectively before ?

    did you change SSHD ports anytime between the process for either or both servers ?

    grep /var/log/messages for your server's IP addresses on both servers see if they are in fact blocked

    see csf help file
    csf -h
    csf: v8.03 (generic)
    csf(1)                                                                  csf(1)
           csf - ConfigServer & Security Firewall
           csf [OPTIONS]
           This manual documents the csf command line options for the ConfigServer
           & Security Firewall. See /etc/csf/csf.conf and /etc/csf/readme.txt  for
           more detailed information on how to use and configure this application.
           -h,  --help
                  Show this message
           -l,  --status
                  List/Show the IPv4 iptables configuration
           -l6, --status6
                  List/Show the IPv6 ip6tables configuration
           -s,  --start
                  Start the firewall rules
           -f,  --stop
                  Flush/Stop firewall rules (Note: lfd may restart csf)
           -r,  --restart
                  Restart firewall rules (csf)
           -q,  --startq
                  Quick restart (csf restarted by lfd)
           -sf, --startf
                  Force CLI restart regardless of LFDSTART setting
           -ra, --restartall
                  Restart firewall rules (csf) and then restart lfd  daemon.  Both
                  csf and then lfd should be restarted after making any changes to
                  the configuration files
           --lfd [stop|start|restart|status]
                  Actions to take with the lfd daemon
           -a,  --add ip [comment]
                  Allow an IP and add to /etc/csf/csf.allow
           -ar, --addrm ip
                  Remove an IP from /etc/csf/csf.allow and delete rule
           -d,  --deny ip [comment]
                  Deny an IP and add to /etc/csf/csf.deny
           -dr, --denyrm ip
                  Unblock an IP and remove from /etc/csf/csf.deny
           -df, --denyf
                  Remove and unblock all entries in /etc/csf/csf.deny
           -g,  --grep ip
                  Search the iptables and ip6tables rules for a  match  (e.g.  IP,
                  CIDR, Port Number)
           -i,  --iplookup ip
                  Lookup IP address geographical information using CC_LOOKUPS set-
                  ting in /etc/csf/csf.conf
           -t,  --temp
                  Displays the current list of temporary allow and deny IP entries
                  with their TTL and comment
           -tr, --temprm ip
                  Remove an IP from the temporary IP ban or allow list
           -td, --tempdeny ip ttl [-p port] [-d direction] [comment]
                  Add an IP to the temp IP ban list. ttl is how long to blocks for
                  (default:seconds, can use one suffix of h/m/d).  Optional  port.
                  Optional  direction  of  block  can  be one of: in, out or inout
           -ta, --tempallow ip ttl [-p port] [-d direction] [comment]
                  Add an IP to the temp IP allow list (default:inout)
           -tf, --tempf
                  Flush all IPs from the temporary IP entries
           -cp, --cping
                  PING all members in an lfd Cluster
           -cd, --cdeny ip
                  Deny an IP in a Cluster and add to /etc/csf/csf.deny
           -ca, --callow ip
                  Allow an IP in a Cluster and add to /etc/csf/csf.allow
           -car, --carm ip
                  Remove   allowed   IP   in   a   Cluster   and    remove    from
           -cr, --crm ip
                  Unblock an IP in a Cluster and remove from /etc/csf/csf.deny
           -cc, --cconfig [name] [value]
                  Change configuration option [name] to [value] in a Cluster
           -cf, --cfile [file]
                  Send [file] in a Cluster to /etc/csf/
           -crs, --crestart
                  Cluster restart csf and lfd
           -w,  --watch ip
                  Log SYN packets for an IP across iptables chains
           -m,  --mail [email]
                  Display Server Check in HTML or email to [email] if present
           -lr, --logrun
                  Initiate Log Scanner report via lfd
           -p, --ports
                  View ports on the server that have a running process behind them
                  listening for external connections
           --graphs [graph type] [directory]
                  Generate System Statistics html pages and  images  for  a  given
                  graph  type  into  a given directory. See ST_SYSTEM for require-
           --profile [command] [profile|backup] [profile|backup]
                  Configuration profile functions for /etc/csf/csf.conf
                  You can create your own profiles using the examples provided  in
                  The  profile  reset_to_defaults.conf  is a special case and will
                  always be the latest default csf.conf
                  Lists available profiles and backups
                  apply [profile]
                  Modify csf.conf with Configuration Profile
                  backup "name"
                  Create Configuration  Backup  with  optional  "name"  stored  in
                  restore [backup]
                  Restore a Configuration Backup
                  keep [num]
                  Remove old Configuration Backups and keep the latest [num]
                  diff [profile|backup] [profile|backup]
                  Report  differences between Configuration Profiles or Configura-
                  tion Backups, only specify one [profile|backup]  to  compare  to
                  the current Configuration
           -c,  --check
                  Check for updates to csf but do not upgrade
           -u,  --update
                  Check for updates to csf and upgrade if available
           -uf    Force an update of csf whether and upgrade is required or not
           -x,  --disable
                  Disable csf and lfd completely
           -e,  --enable
                  Enable csf and lfd if previously disabled
           -v,  --version
                  Show csf version
    try these

           -dr, --denyrm ip
                  Unblock an IP and remove from /etc/csf/csf.deny
           -tr, --temprm ip
                  Remove an IP from the temporary IP ban or allow list
    csf -dr IP
    csf -tr IP