Get the most out of your Centmin Mod LEMP stack
Become a Member

Getting firewall *tcp_in blocked*

Discussion in 'Other Centmin Mod Installed software' started by quicksalad, Jun 4, 2015.

  1. quicksalad

    quicksalad Member

    159
    9
    18
    May 31, 2015
    Ratings:
    +13
    Local Time:
    7:11 PM
    Please advise why I get this error? Couldn't access ftp and my server ip as well.
     
  2. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:41 PM
    Nginx 1.13.x
    MariaDB 5.5
    CSF firewall related CSF - CSF Firewall info | Centmin Mod Community and CSF Firewall - Centmin Mod - Menu based Nginx installer for CentOS servers

    more info might be helpful
    1. What version of Centmin Mod ? .07 stable or .08 beta ? If .08 beta when was it installed and when was last time you updated the .08 beta code (there's constant updates to the code).
    2. What's your VPS/Server hardware specifications ? Xen/KVM/OpenVZ ? cpu type ? memory available ? disk space ? OS and version ? i.e. CentOS 6.6 or 7.1 ?
    3. Who's your web host ?
    4. Your ISP ip address static/dynamic ?
    5. What were you doing connection wise to your server leading up to the blockage ?
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:41 PM
    Nginx 1.13.x
    MariaDB 5.5
  4. quicksalad

    quicksalad Member

    159
    9
    18
    May 31, 2015
    Ratings:
    +13
    Local Time:
    7:11 PM
    1. .07 stable
    2. 1GB RAM - 30GB SSD (where can I see that info?) OS CentOS 6.6
    3.DigitalOcean
    4.Dynamic
    5.I'm connected on FTP, and putty.. browsing directory, then suddenly it stops.
     
  5. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:41 PM
    Nginx 1.13.x
    MariaDB 5.5
    Can you access SSH via DigitalOcean VNC Console ? If you can, check if you ips are blocked using csf -g grep command
    Code:
    csf -g YOURIPADDRESS
    commands you can see for csf via
    Code:
    csf -h
    whitelist your ISP range of ips if you know the range
    Code:
    csf -a IPADDRESSORRANGE
    remove temp and permanent blocks from csf
    Code:
    csf -tr IPADDRESS
    csf -dr IPADDRESS
    also check CSF /var/log/lfd.log for clues
    Code:
    tail -50 /var/log/lfd.log
    If you're on dynamic ip, you may need additional steps CSF Firewall as per Getting Started Guide step 4
     
    Last edited: Jun 4, 2015
  6. quicksalad

    quicksalad Member

    159
    9
    18
    May 31, 2015
    Ratings:
    +13
    Local Time:
    7:11 PM
    very active firewall :), why was block triggered? I switched to static, and whitelisted my dynamic, dunno the range but using commands above says no matches records on my last acquired dynamic ip.
     
  7. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:41 PM
    Nginx 1.13.x
    MariaDB 5.5
    yeah you'd need to investigate further with the logs and csf/lfd logs

    another log is /var/log/messages you can grep it for your ips
    Code:
    grep IPADDRESS /var/log/messages
     
    • Informative Informative x 1
  8. quicksalad

    quicksalad Member

    159
    9
    18
    May 31, 2015
    Ratings:
    +13
    Local Time:
    7:11 PM
    Code:
    Jun  4 11:52:31 fast lfd[22807]: (sshd) Failed SSH login from 117.xxx.42.246 (IN                                                                                                                     /India/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
    Jun  4 12:04:11 fast lfd[22725]: (sshd) Failed SSH login from 61.xx.220.124 (KR/                                                                                                                     Korea, Republic of/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
    
    see result after firing above command please advise? thanks
     
  9. eva2000

    eva2000 Administrator Staff Member

    29,008
    6,580
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,770
    Local Time:
    11:41 PM
    Nginx 1.13.x
    MariaDB 5.5
    that's normal CSF lfd blocks failed SSH log in attempts after so many attempts.. unless those ips are you ip address then you don't need to worry about that
     
    • Informative Informative x 1
  10. quicksalad

    quicksalad Member

    159
    9
    18
    May 31, 2015
    Ratings:
    +13
    Local Time:
    7:11 PM
    above is not my IP address, seeing russia IP also in same format response.
     
  11. quicksalad

    quicksalad Member

    159
    9
    18
    May 31, 2015
    Ratings:
    +13
    Local Time:
    7:11 PM
    Code:
     10:58:10 fast lfd[3426]: 90.xxx.xxx.247 (RU/Russian Federation/247.122-157-90.telenet.ru), 5 distributed sshd attacks on account [admin] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
    see above for reference..