The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF problem

Discussion in 'Workarounds and Optimization' started by Zion Ahead, May 10, 2010.

  1. Zion Ahead

    Zion Ahead Well-Known Member

    Joined:
    Nov 10, 2006
    Messages:
    347
    Likes Received:
    0
    Trophy Points:
    16
    Told by Cpanel tech:

    It appears your firewall is blocking port 80, for example, on this IP:

    user@host:~$ telnet xxx.xxx.47.40 80
    Trying xxx.xxx.47.40...
    telnet: Unable to connect to remote host: No route to host


    The client is using CSF and 80 is open.

    /etc/csf/csf.conf


    # Allow incoming TCP ports
    TCP_IN = "20,21,2382,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,30000:50000"

    # Allow outgoing TCP ports
    TCP_OUT = "20,21,2382,25,37,43,53,80,110,113,443,587,873,2087,2089,2703,30000:50000"

    # Allow incoming UDP ports
    UDP_IN = "20,21,53,30000:50000"

    # Allow outgoing UDP ports
    # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123,873,6277,30000:50000"


    ***

    xxx.xxx.47.36 - worked
    xxx.xxx.47.37 - worked
    xxx.xxx.47.38 - worked
    xxx.xxx.47.39 - failed on port 80 and port 443
    xxx.xxx.47.40 - 46 - failed: no route to host


    Trying xxx.xxx.47.40...
    telnet: connect to address xxx.xxx.47.40: No route to host [root@vps]-[/var/cpanel]#telnet xxx.xxx.47.40 80 Trying xxx.xxx.47.40...
    telnet: connect to address xxx.xxx.47.40: No route to host [root@vps]-[/var/cpanel]#telnet xxx.xxx.47.41 80 Trying xxx.xxx.47.41...
    telnet: connect to address xxx.xxx.47.41: No route to host [root@vps]-[/var/cpanel]#telnet xxx.xxx.47.42 80 Trying xxx.xxx.47.42...
    telnet: connect to address xxx.xxx.47.42: No route to host [root@vps]-[/var/cpanel]#telnet xxx.xxx.47.43 80 Trying xxx.xxx.47.43...
    telnet: connect to address xxx.xxx.47.43: No route to host [root@vps]-[/var/cpanel]#telnet xxx.xxx.47.44 80 Trying xxx.xxx.47.44...
    telnet: connect to address xxx.xxx.47.44: No route to host [root@vps]-[/var/cpanel]#telnet xxx.xxx.47.45 80 Trying xxx.xxx.47.45...
    telnet: connect to address xxx.xxx.47.45: No route to host [root@vps]-[/var/cpanel]#telnet xxx.xxx.47.46 80 Trying xxx.xxx.47.46...
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    First, you can't tell if any port is blocked by using "telnet" since that is
    now disabled by default on CentOS and Redhat systems so you will get
    the "unable to connect to remote host" no matter what you try to connect to.

    Second, based on what you posted of your CSF config tells me that
    whatever issue you are having here --- it's probably not CSF related.

    I have a pretty good idea what your real issue is and what you need to
    do to fix it but before I tell you that, first tell me what prompted you to
    think you have a problem. What is not working? What is it that
    prompted you to contact support in the first place?
     
  3. support@exa.com

    Joined:
    May 17, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    CSF IP block issue

    Hello Team,

    I have CSF installed on our VPS.
    In order to allow only Au and IN country to access server, i am adding entire range under csf.allow. so is there anything i can increase the number of block IP's under csf.deny because it will only block 1000 IP's and after that any new IP would be blocked by removing very fist IP's from deny file.

    Is there any way i can increase it?
    Also currently my security level is set to Low, should i increase it to medium or high in order to increase the number of IP's blocked?

    Also i know that we have CC_ALLOW where we can just provide the codes as "AU and IN" and so on but still i get a login prompt for other countries, shouldn't be like that only allow country should get login prompt and others should get any prompt and any incoming request should be blocked for them?


    Regards,
    MihirJ
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    What you are trying to do is a very bad idea and not recommended ....

    Blocking countries at the firewall level requires an enormous number of CIDR ranges and would use substantial memory and processing resources and also negatively impact the performance of your computer and in the case of you mentioning that you have a "VPS" that likely amounts to you completely killing your server entirely in the process.

    CSF does have limited GEOIP support but what it does in that instance is extracts the CIDR ranges and enters those into the firewall for you just the same as if you had entered the IP ranges yourself --- just a shortcut.

    (Thus using the country code features in CSF is also not recommended)

    If you want to control access by country then the best way to do that is to install the GEOIP "C Library" from Maxmind along on your server along with an interface for it such as the Apache or PHP modules and this would give every script and program on your server access to geo-location information of all visitors without the need to worry about IP addresses or CIDR ranges and doesn't bog down your computer with enormously long and somewhat meaningless blocking lists.

    Once this is setup, you will have access to a new set of variables:

    GEOIP_COUNTRY_CODE
    GEOIP_CONTINENT_CODE

    These variables will contain the location of the visitor in a 2 digit code format and all your scripts and programs have access to this plus you can use this information in .htaccess for blocking or access literally by country or continent name instead of using IP or CIDR ranges.

    If you need help setting up GEOIP on your server, I would be more than glad to give you a helping hand with that on request but this is definitely the way you want to go about doing what it is you described doing.
     
  5. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    look at here

    Sorry by mistake
     
    #5 crazyaboutlinux, May 22, 2010
    Last edited: May 22, 2010
  6. support@exa.com

    Joined:
    May 17, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello Spiral,

    Thanks for your suggestion, definitely i'll go with your suggestion and will get into it. If i m stuck anywhere, i'll let you know. Thanks for help. :)

    Regards,
    MJ
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    It's very simple and fairly straight forward and here is the instructions ....

    First, you will need the C library for GEOIP installed:
    Code:
    # cd /usr/local/src
    # wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP.tar.gz
    # tar zxvf ./GeoIP.tar.gz
    # cd GeoIP-*
    # ./configure
    # make
    # make install
    
    Next you will need the Apache module for GEOIP installed:
    Code:
    # cd /usr/local/src
    # wget http://geolite.maxmind.com/download/geoip/api/mod_geoip2/mod_geoip2_1.2.5.tar.gz
    # tar zxvf ./mod_geoip2_1.2.5.tar.gz
    # cd ./mod_geoip2_1.2.5
    # apxs -i -a -L/usr/local/lib -I/usr/local/include -lGeoIP -c mod_geoip.c
    
    Now edit your /usr/local/apache/conf/httpd.conf file and remove the following line towards the top of the file:
    Code:
    LoadModule geoip_module       modules/mod_geoip.so
    
    Next add the following to your /usr/local/apache/conf/include/pre_main_global.conf file:
    Code:
    LoadModule geoip_module       modules/mod_geoip.so
    
    <IfModule mod_geoip.c>
        GeoIPEnable  On
        GeoIPDBFile  /usr/local/share/GeoIP/GeoIP.dat
    </IfModule>
    
    You will want to update with the latest GEOIP database and also keep your database updated and can do that like this:
    Code:
    # cd /etc/cron.monthly
    # wget -nc -T20 http://www.myserverexpert.com/build/cron/maxmind
    # chmod 0700 ./maxmind
    # ./maxmind
    
    (This will update your GEOIP database and automatically keep it updated as well)

    Now all you have left to do is simply restart your Apache server:
    Code:
    # service httpd restart
    
    If you did everything correctly, all your scripts and programs as well as .htaccess files have access to the GEOIP variable information.

    To check this, setup a phpinfo() page:
    Code:
    <?php phpinfo(); ?>
    
    Search the phpinfo page for the phrase GEOIP and if you did everything properly then you should see your own location in the world shown under GEOIP_COUNTRY_CODE and GEOIP_CONTINENT_CODE variables.

    Good Luck ;)
     
    Infopro likes this.
  8. support@exa.com

    Joined:
    May 17, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello Spiral,

    I have the below contents under .htaccess,

    GeoIPEnable On
    GeoIPDBFile /usr/local/share/GeoIP/GeoIP.dat

    SetEnvIf GEOIP_COUNTRY_CODE AU AllowCountry

    Allow from env=AllowCountry
    Deny from all

    for http://www.2050home.com

    even though i am able to access it from IN but logically it should only allow access to AU.

    am i doing something wrong?

    Regards,
    MihirJ
     
  9. support@exa.com

    Joined:
    May 17, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello Spiral,

    tried every bit of mine but no luck, even on maxmind website they have the same under .htaccess, even checked on my server and GeoIP is enable.

    can you please help?

    Regards,
    MihirJ
     
  10. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Sorry been busy for a few days and haven't been around.

    Had someone contact me to let me know about your post.

    I'll send you my contact info ....
     
  11. support@exa.com

    Joined:
    May 17, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello Spiral,

    Sure, we'll wait for ur reply.

    Regards,
    MihirJ
     
  12. support@exa.com

    Joined:
    May 17, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello Spiral,

    This is bit urgent.

    Regards,
    Mihirj
     
  13. support@exa.com

    Joined:
    May 17, 2010
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hello Spiral,

    Tried it but its not getting blocked.

    GeoIPEnable On
    GeoIPDBFile /usr/local/share/GeoIP/GeoLiteCity.dat

    SetEnvIf GEOIP_COUNTRY_CODE AU AllowCountry
    Allow from env=AllowCountry
    Deny from all

    The above should allow only in AU and not in India but i am able to browse the site in India.

    Regards,
    MihirJ
     
Loading...

Share This Page