Almalinux 9 VPS hangs - deprecated driver ipset used for CSF

[hendrik250874]

I'm actually out of options here, therefor the post.
I have a fresh installed VPS with Almalinux 9, installed DirectAdmin, no fancy stuff added, changed some default ports (for ssh and directadmin).
Upon rebooting I found that the VPS wouldn't completely load. I got stuck where it mentions that some of the drivers are deprecated.

Warning: Deprecated Driver is detected: iptables will not be maintained in a future major release and may be disabled
Warning: Deprecated Driver is detected: ip6tables will not be maintained in a future major release and may be disabled
Warning: Deprecated Driver is detected: ipset will not be maintained in a future major release and may be disabled
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.

After several times restoring a snapshot I managed to get into the VPS, so I uninstalled ipset and iptables (I was getting desperate). Rebooting was no issue, however DirectAdmin mentioned that the service 'lfd' was down. I reinstalled CSF with Custombuild and iptables was a dependency and so it was installed. But it still needed ipset-libs for it to run. And after installing it seems like it just stops booting.

To make it a little bit more weird, the webserver is running, because I can get the placeholderpage to show for the domain of the hostname.
I just have no access to ssh or DirectAdmin. Can someone point me in the right direction ?

 

[Active8]

Solved - CSF / iptables issue in Almalinux 9

My DNF command returns errors suddenly : dnf update Last metadata expiration check: 0:00:19 ago on Wed 01 Mar 2023 04:57:23 PM CET. Error: Problem: package iptables-legacy-1.8.8-4.el9.1.x86_64 requires iptables-libs(x86-64) = 1.8.8-4.el9, but none of the providers can be installed - cannot...

forum.directadmin.com

not sure if this can help :

dnf install ipset-service

 

[Richard G]

Just read a whole thread, lol. So the fix is to do just yum update or dnf update?

I always do that first after a fresh OS installation. Would be a good advise if everybody would think of that. And use this command more often as it can be important to keep the OS updated.

 

[Driesp]

Maybe the ssh and DirectAdmin ports are closed in the firewall.
You say you have changed the ssh port and DirectAdmin port.
Then you maybe forgot the change the ports in the firewall.

I think you need a managed server.

 

[hendrik250874]

Maybe the ssh and DirectAdmin ports are closed in the firewall.
You say you have changed the ssh port and DirectAdmin port.
Then you maybe forgot the change the ports in the firewall.

I think you need a managed server.

I'm not claiming to be an expert, but it is not my first server. My experience is that if you don't want to do some exotic stuff, you can make it pretty stable. So that's where I live, and normally there are no special issues, except now. I checked the ports in the firewall, I even changed them back to the defaults, as well in ssh config and the VPF firewall.
Strange thing is that I can access the domain with the DirectAdmin placeholder page, but no ssh, or DirectAdmin...

 

[hendrik250874]

Solved - CSF / iptables issue in Almalinux 9

My DNF command returns errors suddenly : dnf update Last metadata expiration check: 0:00:19 ago on Wed 01 Mar 2023 04:57:23 PM CET. Error: Problem: package iptables-legacy-1.8.8-4.el9.1.x86_64 requires iptables-libs(x86-64) = 1.8.8-4.el9, but none of the providers can be installed - cannot...

forum.directadmin.com

not sure if this can help :

dnf install ipset-service

Thank you for the info. I uninstalled the services iptables and ipnet, that breaks CSF. Then installed ipnet-service.
But the effect is the same, and again nog access to ssh / directadmin. The ssh-output I have is from the VPS-console, and it doesn't allow me logging in...

 

[ericosman]

Your problem might be at Transip

But if i read it correctly, you reinstalled and now you can acces http://yourip but not http://yourip:2222 ?

 

[hendrik250874]

Your problem might be at Transip

But if i read it correctly, you reinstalled and now you can acces http://yourip but not http://yourip:2222 ?

The support from TransIP is fast enough, but no real help. They just said to install the latest versions of the drivers.
So, I did not re-install, I just got lucky that during booting it didn't halt. At this moment I can access over SSH and DirectAdmin. I've restarted about 5 times and it seems to work.
The bootmessages remain, about the deprecated drivers, but then it shows the login prompt.
Question remains however, how much can you trust such a installation ? I don't want to get into this when there are multiple accounts on this server...
Should I do a clean install all over ? Or maybe look at a specific logfile for something ?

 

[Richard G]

and the VPF firewall.

What firewall is that? This is not something DA installs.

But now I hear you're using Transip then a lot becomes clear to me. Several ports are closed on firewall at their side.
I would suggest disabling that one for the time being and only use the one on your vps which is csf/lfd.

Then sometimes after installing DA in Alma, the /etc/resolv.conf file can be overwritten.
Check that and see if it can resolve or just add this at the first two lines:
nameserver 1.1.1.1 nameserver 8.8.8.8
save and then just to be sure, restart VPS and see if it works.

 

[hendrik250874]

What firewall is that? This is not something DA installs.

But now I hear you're using Transip then a lot becomes clear to me. Several ports are closed on firewall at their side.
I would suggest disabling that one for the time being and only use the one on your vps which is csf/lfd.

Then sometimes after installing DA in Alma, the /etc/resolv.conf file can be overwritten.
Check that and see if it can resolve or just add this at the first two lines:
nameserver 1.1.1.1 nameserver 8.8.8.8
save and then just to be sure, restart VPS and see if it works.

I checked the resolv.conf and it contains the addresses from TransIP.
It seems to work fine now. I got this feeling that it is not really because of something I deliberately changed. Cause and effect seem off.
However, I really would like to thank everyone for the support. It is very much appreciated.

 

[hendrik250874]

So I will just add something here to close this issue. I think I have found what caused it, although it is a bit weird.
When I install a new server I document every step of the way. It's just that I don't do this often enough and this way I have a document as fallback. So for a completely new server, I start from the previous document, check if everything is still accurate and move on, step by step.

I reinstalled Almalinux on the VPS and did all the steps again. After every step I just rebooted the VPS and saw what happened.
I made sure all ports were open, logged my ip, but surely, when I changed the default port for SSH to anything else, the issue reappeared.
Even the VPS-console did not work. So that's it. Never had this before.

I disabled logging in with password, only key, so I suppose this will do.
Thanks again for the support.

 

[Active8]

when I changed the default port for SSH to anything else, the issue reappeared.
Even the VPS-console did not work

its odd then never have this issue and we are always using different port for SSH , anyway glad you have sold

 

[johannes]

Maybe you have CSF also installed, and the new ssh port isnt there in for incoming/outgoing connections ? Put the new port in CSF config, before you change it in ssh.

 

[Active8]

Maybe you have CSF also installed, and the new ssh port isnt there in for incoming/outgoing connections ?

Yes that should be the case then

 

[Richard G]

It's either CSF or the Transip Firewall.

Normally when doing steps, I first install Directadmin, then I put my own ip in the csf.allow file and then I start changing things.
In that case, even when changing an SSH port, you won't be refused, even when you forget to change or add the new ssh port or something else csf would normally block.

 

[hendrik250874]

That's good advice, I'll think about adding my ip before making changes.
However, the ports were added to CSF and the TransIP firewall, prior to the issue.

 

[Richard G]

However, the ports were added to CSF and the TransIP firewall, prior to the issue.

Yes that's still odd.
It might be fun to test it. First disable Transip firewall, see if it works, then enable that again and disable CSF, see of that works.
Maybe you can find out which one is making trouble.

Be aware that if you want to start mailing from your server, there is a kindlike trick where you have to seperately enable the mailport in Transip.