ConfigServer Security & Firewall

[pkirman]

Hi just wanting to know if anyone has any ideas, as from what I can find loads of people have this problem.

Basically I have installed ConfigServer Security & Firewall on CentOS/Cpanel its a new install and there is no website or anything on it, but I now cant use putty to get onto the server.

Even if I stop the firewall it doesn't work

Help

Thanks

Paul

 

[verdon]

This doesn't sound like it has anything to do with CSF. What makes you think it does, or that loads of CSF users have this problem?

 

[pkirman]

Firewall

well, it was working before I installed the software so I think it is.

I can try taking it off and trying again.

The reason I say that is, if you look for the problem on google there is loads of forums ect where people have the same problem as I do, but no one had a answer on how to fix it.

if I can help by sending any more info people let me know

Thanks

Paul

 

[verdon]

Is it possible you are using a non-standard port for ssh and haven't set it in CSF's conf?

BTW... CSF has it's own forums and you may get more knowledgeable help there.

 

[DReade83]

I've done a full CentOS 5, cPanel 11 and CSF 2.85 install this evening, using a non-standard SSH port.

Have you tried restarting the SSH service?

 

[mctDarren]

CSF is just a front end for iptables. If you use a non standard port for SSH this might be why iptables would be blocking you. For example: you have SSH set up for port 4000 and you add that port to the CSF conf file. When you start CSF it adds a rule to iptables that opens port 4000. But if it's not in the conf file, CSF closes port 4000 (and any port not in the conf file for that matter) in iptables.

Now here's the bad part. If you change the SSH port, but never add that port to the CSF conf file- CSF will still tell iptables to block that port. Essentially locking you out of the server via SSH since SSH is now listening on port 4000, but iptables is blocking it!

If this is what happened, you can ask the DC to change SSH back to port 22 or you can use WHM to change the setup for CSF to allow that port and restart CSF (essentially resetting all the iptables rules) and that will work too.

GL!

(PS - this post can also be read as "what verdon said....")

 

[enet]

I did the same thing after everything was installed. I use ZOC and blocked my Ip. I just had to go into ConfigServer Security&Firewall settings (Firewall Allow IPs) and set my IP from my desktop to be allowed. After that, no trouble accessing the server :D

 

[chirpy]

The reason I say that is, if you look for the problem on google there is loads of forums ect where people have the same problem as I do, but no one had a answer on how to fix it.

I've not had a single report of any such issue, especially since CSF checks /etc/ssh/sshd_config for the port that you have set for SSHD and defaults to 22 if not set. To investigate further you would need to check your /var/log/messages for kernel messages regarding the block (or /var/log/lfd.log if you've got yourself blocked)

 

[chirpy]

What happens if you ban your ip from your server to test it, how do you get back in your server?

That's what the TESTING mode is for when you first install csf. It creates a cron job that flushes iptables after up to 5 minutes so that you can get back into your server. You then disable that setting to keep running.

 

[Frimon86]

That's what the TESTING mode is for when you first install csf. It creates a cron job that flushes iptables after up to 5 minutes so that you can get back into your server. You then disable that setting to keep running.

Ohhhhhhhhhhh i see! thanks for the info sir. So when an ip is banned are they not able to view any sites you host or just not able to login?

 

[verdon]

Ohhhhhhhhhhh i see! thanks for the info sir. So when an ip is banned are they not able to view any sites you host or just not able to login?

No access to the server at all, no sites, no mail, no login, nothing.

 

[Nhojohl]

They won't be able to view any web site on your server, or even ping it...

 

[meeven]

Is it possible you are using a non-standard port for ssh and haven't set it in CSF's conf?

As pointed out by others, CSF auto-configures SSH on a non-standard port during install.

It's more likely the OP locked himself out through repeated login failures. The only way then is to ask the hosting company to unblock the IP from csf.deny (I think). If it is a client that has been locked out, it is easy to unblock their IP by logging into WHM, and removing their IP from the Firewall Deny IPs file in the CSF Firewall configuration screen at WHM>>Addons

 

[verdon]

As pointed out by others, CSF auto-configures SSH on a non-standard port during install.

I've been using it so long I forgot that. Some of the very earliest beta versions didn't. It might also be possible that the OP removed their port from the config, not realizing what and why it was there. It would be nice to hear if there was a resolution for the OP.

 

[php-empire]

install on Freebsd 6.2 ?

i love config server , but not install on free bsd please help me

 

[wefrank]

i love config server , but not install on free bsd please help me

Please visit http://forum.configserver.com/index.php
That forum is the Config Server forum, and your issue should be discussed there, rather than in the cPanel forum.
Hope this helps

 

[brianoz]

As pointed out by others, CSF auto-configures SSH on a non-standard port during install.

It's more likely the OP locked himself out through repeated login failures. The only way then is to ask the hosting company to unblock the IP from csf.deny (I think). If it is a client that has been locked out, it is easy to unblock their IP by logging into WHM, and removing their IP from the Firewall Deny IPs file in the CSF Firewall configuration screen at WHM>>Addons

Actually, if that was the cause, the easiest fix is to get yourself a new IP either (by using someone else's internet connection etc) and then remove the blocked IP from CSF either through ssh or via the WHM interface. No need to ask your DC for help for something as simple as this.

In some countries if you have a dynamic IP it's enough to reset your ADSL connection (by rebooting your modem) which will then allocate you a new IP. This usually doesn't work for cable connections.

 

[chirpy]

i love config server , but not install on free bsd please help me

csf is an iptables configuration script. FreeBSD doesn't use iptables, it uses a different application, so csf won't ever work with it.