CSF/LFD Blocking IP - Can't find where

E

enkrypt

Verified User
Joined
Feb 3, 2011
Messages
38
So long story short, I am at work and logging into my server. After inputting my password through SCP wrong a few times I am banned from the server. However, I am only banned from accessing the DirectAdmin panel (ip:2222) and ssh. All of the websites that are hosted on my server load just fine (which is weird to me).

When I run csf -tr and csf -dr I get the "csf: There are no temp bans" and "not found in csf.deny"

When I run csf -g <myIP> I find this in the output:
Code: 
ALLOWIN 1 0 0 ACCEPT all -- !lo * <myIP> 0.0.0.0/0
ALLOWOUT 1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 <myIP>

When I run iptables -L INPUT -v -n | grep <myIP> I get a blank return (IP not found)

So, now I am stumped. When I do a csf -x (disabling csf and lfd) everything at work loads: SSH, DirectAdmin and my sites.

When I do a csf -e and then a csf -f my work IP is able to connect the DirectAdmin and SSH for a few minutes, then it get's blocked again.

I have my work IP added to csf.allow and csf.ignore.

Does anyone have any idea as to where my work IP is getting blocked from or where else I could look? Surely I have overlooked something.

Thanks in advance,
eNkrypt

*I accidentally posted this in ADMIN tech section. Please feel free to delete that copy*
 
Are you sure you weren't just loading cache? Sounds odd to me that csf didn't block your IP entirely.

What ports is csf protecting? Can you ssh in from another server to verify that it is just your IP that is blocked or maybe it killed access to those ports altogether?
 
r3chn3r said:
Are you sure you weren't just loading cache? Sounds odd to me that csf didn't block your IP entirely.

What ports is csf protecting? Can you ssh in from another server to verify that it is just your IP that is blocked or maybe it killed access to those ports altogether?
Click to expand...
Yeah, I have disabled cloudflare and purged cache. I was also able to submit a form and confirm that it submitted data, therefore it is working and not just cache. CSF is blocking all ports except the ones I define. I can successfully SSH into the site with my phone, this is how I am able to run the above commands.

Also, it appears when I type in the IP address I am prompted with the:
Apache is functioning normally page.

So it definitely only seems to be blocking SSH and DirectAdmin login. It might also be worth noting that I installed Blocking bruteforce with DirectAdmin using this guide:
https://www.plugins-da.net/info/how-to-block-ips-with

FAF said:
What does your /var/log/lfd.log say? cat /var/log/lfd.log
Click to expand...
Only thing in it now (I purged it then tried connecting to the server at work again) is:
Code: 
Jan 14 <hostname> lfd[<PID>]: *User Processing* PID:<PID> Kill:0 User: cstanley VM:270(MB) EXE:/usr/local/php56/sbin/php-fpm56 CMD:php-fpm: pool cstanley

It's still banned and it's been overnight so it's definetly not a temp ban. It's so weird because I cannot find where I am being banned at anywhere.
 
Why don't you just rebuild it from scratch, or reinstall it, start over, then you will have more control. Since you can connect from your phone and not your "laptop?" - you might have something on your computer which hammers the connection. I recon that you use the same computer (Winblows?), both at home and work? So if you have something configured which constantly tries to login, on some service, with the wrong ID/pass, then it doesn't really matter which IP you sit at. I would start over and slowly build up the rules. Just my humble opinion.
 
Last edited:
Hello,

By default CSF with BFM blocks all ports for an IP of an attacker. So if you still can access your web-sites (TCP 80, 443), it's probably because of your server sees another IP (i.e. IP of cloudflare) when you browse sites.

To find logs of CSF (firewal blocking) you should check dmesg output as well and directadmin logs in /var/log/directadmin/

enkrypt said:
ALLOWIN 1 0 0 ACCEPT all -- !lo * <myIP> 0.0.0.0/0
ALLOWOUT 1 0 0 ACCEPT all -- * !lo 0.0.0.0/0 <myIP>
Click to expand...

These rules do not seem to catch any packet. As counters are zeros. Did you restart firewall just before posting the lines here? When you restart csf (firewall) counters are set to zeros. And even in this case they would not show zeros after you run csf -g.
 
zEitEr said:
Hello,

By default CSF with BFM blocks all ports for an IP of an attacker. So if you still can access your web-sites (TCP 80, 443), it's probably because of your server sees another IP (i.e. IP of cloudflare) when you browse sites.

To find logs of CSF (firewal blocking) you should check dmesg output as well and directadmin logs in /var/log/directadmin/



These rules do not seem to catch any packet. As counters are zeros. Did you restart firewall just before posting the lines here? When you restart csf (firewall) counters are set to zeros. And even in this case they would not show zeros after you run csf -g.
Click to expand...

The thing is that I even disabled CloudFlare and the website's still loaded. So I am not sure what is actually happening here. I am re-installing the server (just in case) since this is only a dev server. However, if it happens again I will post the output of dmesg and directadmin log files.

I noticed that as well, so I am not sure what is actually happening.
 
zEitEr said:
Hello,

By default CSF with BFM blocks all ports for an IP of an attacker. So if you still can access your web-sites (TCP 80, 443), it's probably because of your server sees another IP (i.e. IP of cloudflare) when you browse sites.

To find logs of CSF (firewal blocking) you should check dmesg output as well and directadmin logs in /var/log/directadmin/



These rules do not seem to catch any packet. As counters are zeros. Did you restart firewall just before posting the lines here? When you restart csf (firewall) counters are set to zeros. And even in this case they would not show zeros after you run csf -g.
Click to expand...

I checked those logs, and I do not see any record of my IP address in there. That's extremely odd. What would you suggest I do now? I am extremely lost at this point!
 
Well it appears that you're convinced that it is csf that is causing this issue for you. If it weren't for you saying that disabling csf regains access for you, I'd be inclined to think there is a problem with iptables. But you also say you're only blocked from certain services which makes it even more puzzling.

Because you claim the disabling csf somewhat corrects the problem, I'd recommend installing it from scratch to reinstate all the default settings. If it continues, you might have to look into another firewall solution or contact someone that might be able to hunt down the problem further.

Have you posted to CSF's forum?
 
You must log in or register to reply here.
Back
Top