Access Limited to one IP

S

stevenr

Verified User
Joined
Feb 17, 2017
Messages
13
Hi,

On one of our servers we have restricted access to de DA login panel to only 1 ip.
I am very sure I followed these steps as stated on this page:

DirectAdmin Tutorial Series 2: Je VPS beveiligen - TransIP

Dit is het tweede deel van onze DirectAdmin Tutorial Series. Ben je een nieuwe VPS aan het inrichten, dan raden wij aan om bij deel 1 te beginnen en geen d
www.transip.nl www.transip.nl

The client connecting to the server is changing ISP and going to Dynamic IP. And I can't find where or how I configured this to change it or disable it to accept from any IP. When I completely disable CSF, LFD. I still can't connect from other IP's.

When I stop firewalld. I can't restart it. (still no connection when firewalld is down tho)


firewall-cmd --permanent --zone=public --add-port=2222/tcp
---- says -> Firewalld is not running.
(I think this is because CSF etc is running?)

systemctl start firewalld
---- says -> Failed to start firewalld.service: Unit firewalld.service is masked.

CSF, LFD etc says it's all running and GREEN?

Any tips are greatly appreciated.

Thanks!
Steven
 
Last edited:
stevenr said:
Hi,

On one of our servers we have restricted access to de DA login panel to only 1 ip.
I am very sure I followed these steps as stated on this page:

DirectAdmin Tutorial Series 2: Je VPS beveiligen - TransIP

Dit is het tweede deel van onze DirectAdmin Tutorial Series. Ben je een nieuwe VPS aan het inrichten, dan raden wij aan om bij deel 1 te beginnen en geen d
www.transip.nl www.transip.nl

The client connecting to the server is changing ISP and going to Dynamic IP. And I can't find where or how I configured this to change it or disable it to accept from any IP. When I completely disable CSF, LFD. I still can't connect from other IP's.

When I stop firewalld. I can't restart it. (still no connection when firewalld is down tho)


firewall-cmd --permanent --zone=public --add-port=2222/tcp
---- says -> Firewalld is not running.
(I think this is because CSF etc is running?)

systemctl start firewalld
---- says -> Failed to start firewalld.service: Unit firewalld.service is masked.

CSF, LFD etc says it's all running and GREEN?

Any tips are greatly appreciated.

Thanks!
Steven
Click to expand...
TransIP's guide uses a custom script file, to only limit admin level command.

Are you sure you didn't limit the ip in the TransIP Firewall? (ie not the one on the vps, but the one you control in the control panel at transip?)
 
stevenr said:
Hi,

On one of our servers we have restricted access to de DA login panel to only 1 ip.
I am very sure I followed these steps as stated on this page:

DirectAdmin Tutorial Series 2: Je VPS beveiligen - TransIP

Dit is het tweede deel van onze DirectAdmin Tutorial Series. Ben je een nieuwe VPS aan het inrichten, dan raden wij aan om bij deel 1 te beginnen en geen d
www.transip.nl www.transip.nl

The client connecting to the server is changing ISP and going to Dynamic IP. And I can't find where or how I configured this to change it or disable it to accept from any IP. When I completely disable CSF, LFD. I still can't connect from other IP's.

When I stop firewalld. I can't restart it. (still no connection when firewalld is down tho)


firewall-cmd --permanent --zone=public --add-port=2222/tcp
---- says -> Firewalld is not running.
(I think this is because CSF etc is running?)

systemctl start firewalld
---- says -> Failed to start firewalld.service: Unit firewalld.service is masked.

CSF, LFD etc says it's all running and GREEN?

Any tips are greatly appreciated.

Thanks!
Steven
Click to expand...
@Richard G My Dutch friend might you help. Greets
 
Maybe. I don't use firewalld

I think best way is to disable everything (so firewalld and csf with csf -x) and then have a look at the output of this command:
Code: 
iptables -L
which should give 3 policies (input, output and forward) which should all 3 be at ACCEPT.

If this is not the case, then something is still running. Maybe fail2ban is not completely removed or something.
This is not a DA issue, so you might ask over at the Transip forum (or support) if you want.

The function mentioned in post #4 is not to limit access to 1 user ip, but to bind DA access (for anybody) to only 1 ip. That should be the server ip. If I were you, I would remove that bind statement again.
 
Richard G said:
Maybe. I don't use firewalld

I think best way is to disable everything (so firewalld and csf with csf -x) and then have a look at the output of this command:
Code: 
iptables -L
which should give 3 policies (input, output and forward) which should all 3 be at ACCEPT.

If this is not the case, then something is still running. Maybe fail2ban is not completely removed or something.
This is not a DA issue, so you might ask over at the Transip forum (or support) if you want.

The function mentioned in post #4 is not to limit access to 1 user ip, but to bind DA access (for anybody) to only 1 ip. That should be the server ip. If I were you, I would remove that bind statement again.
Click to expand...
about post #4 I noticed and I did not change anything.

csf -x and iptables -L output seems ok

Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The server is not hosted at TransIP, but I used the guide on Transip to secure the server (I think, it has been more then a year since I last setup a DA server.). There is no extra firewall between the server en the internet. It is a directly connected VPS.

cat /etc/firewalld/zones/public.xml

Code: 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <port port="2222" protocol="tcp"/>
</zone>
 
Richard G said:
So if it looks like this, you still can't reach directadmin from any ip? And DA is running?
Click to expand...
Hi Richard, I am very sorry, I have found the culprit. I said I did not have a firewall inbetween. But I use Cloudflare...

It is solved. Nothing to do with DA as you mentioned!
However I couldn't have solved it this fast without your help, pointing me in the right direction.

Thank you very much.

Steven
 
You must log in or register to reply here.
Back
Top