ConfigServer Security & Firewall

pkirman

Registered
Jan 21, 2004
4
0
151
UK
Hi just wanting to know if anyone has any ideas, as from what I can find loads of people have this problem.

Basically I have installed ConfigServer Security & Firewall on CentOS/Cpanel its a new install and there is no website or anything on it, but I now cant use putty to get onto the server.

Even if I stop the firewall it doesn't work

Help

Thanks

Paul
 
Last edited:

pkirman

Registered
Jan 21, 2004
4
0
151
UK
Firewall

well, it was working before I installed the software so I think it is.

I can try taking it off and trying again.

The reason I say that is, if you look for the problem on google there is loads of forums ect where people have the same problem as I do, but no one had a answer on how to fix it.

if I can help by sending any more info people let me know

Thanks

Paul
 

DReade83

Well-Known Member
Oct 20, 2006
196
0
166
Cheshire, UK
I've done a full CentOS 5, cPanel 11 and CSF 2.85 install this evening, using a non-standard SSH port.

Have you tried restarting the SSH service?
 

mctDarren

Well-Known Member
Jan 6, 2004
665
9
168
New Jersey
cPanel Access Level
Root Administrator
CSF is just a front end for iptables. If you use a non standard port for SSH this might be why iptables would be blocking you. For example: you have SSH set up for port 4000 and you add that port to the CSF conf file. When you start CSF it adds a rule to iptables that opens port 4000. But if it's not in the conf file, CSF closes port 4000 (and any port not in the conf file for that matter) in iptables.

Now here's the bad part. If you change the SSH port, but never add that port to the CSF conf file- CSF will still tell iptables to block that port. Essentially locking you out of the server via SSH since SSH is now listening on port 4000, but iptables is blocking it!

If this is what happened, you can ask the DC to change SSH back to port 22 or you can use WHM to change the setup for CSF to allow that port and restart CSF (essentially resetting all the iptables rules) and that will work too.

GL!

(PS - this post can also be read as "what verdon said....")
 
Last edited:

enet

Member
May 17, 2007
5
0
151
I did the same thing after everything was installed. I use ZOC and blocked my Ip. I just had to go into ConfigServer Security&Firewall settings (Firewall Allow IPs) and set my IP from my desktop to be allowed. After that, no trouble accessing the server :D
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
The reason I say that is, if you look for the problem on google there is loads of forums ect where people have the same problem as I do, but no one had a answer on how to fix it.
I've not had a single report of any such issue, especially since CSF checks /etc/ssh/sshd_config for the port that you have set for SSHD and defaults to 22 if not set. To investigate further you would need to check your /var/log/messages for kernel messages regarding the block (or /var/log/lfd.log if you've got yourself blocked)
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
What happens if you ban your ip from your server to test it, how do you get back in your server?
That's what the TESTING mode is for when you first install csf. It creates a cron job that flushes iptables after up to 5 minutes so that you can get back into your server. You then disable that setting to keep running.
 

Frimon86

BANNED
Jun 4, 2007
31
0
156
That's what the TESTING mode is for when you first install csf. It creates a cron job that flushes iptables after up to 5 minutes so that you can get back into your server. You then disable that setting to keep running.
Ohhhhhhhhhhh i see! :eek: thanks for the info sir. So when an ip is banned are they not able to view any sites you host or just not able to login?
 

meeven

Well-Known Member
May 8, 2007
132
2
168
Is it possible you are using a non-standard port for ssh and haven't set it in CSF's conf?
As pointed out by others, CSF auto-configures SSH on a non-standard port during install.

It's more likely the OP locked himself out through repeated login failures. The only way then is to ask the hosting company to unblock the IP from csf.deny (I think). If it is a client that has been locked out, it is easy to unblock their IP by logging into WHM, and removing their IP from the Firewall Deny IPs file in the CSF Firewall configuration screen at WHM>>Addons
 

verdon

Well-Known Member
Nov 1, 2003
946
18
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
As pointed out by others, CSF auto-configures SSH on a non-standard port during install.
I've been using it so long I forgot that. Some of the very earliest beta versions didn't. It might also be possible that the OP removed their port from the config, not realizing what and why it was there. It would be nice to hear if there was a resolution for the OP.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
As pointed out by others, CSF auto-configures SSH on a non-standard port during install.

It's more likely the OP locked himself out through repeated login failures. The only way then is to ask the hosting company to unblock the IP from csf.deny (I think). If it is a client that has been locked out, it is easy to unblock their IP by logging into WHM, and removing their IP from the Firewall Deny IPs file in the CSF Firewall configuration screen at WHM>>Addons
Actually, if that was the cause, the easiest fix is to get yourself a new IP either (by using someone else's internet connection etc) and then remove the blocked IP from CSF either through ssh or via the WHM interface. No need to ask your DC for help for something as simple as this.

In some countries if you have a dynamic IP it's enough to reset your ADSL connection (by rebooting your modem) which will then allocate you a new IP. This usually doesn't work for cable connections.