CSF can't block port of Nginx + Apache reverse proxy

drjavab

drjavab

New member
Joined
Nov 16, 2024
Messages
2
as you seen in the picture the ports 8080 and 8081 are open but I don't open these ports at all.
here is my csf port config:
# Allow incoming TCP ports
TCP_IN = "35000:35999,20,21,22,25,53,853,80,110,143,443,465,587,993,995,2222,3306,2424,5432,2424"
# Allow outgoing TCP ports
TCP_OUT = "465,143,20,21,22,25,53,853,80,110,113,443,587,993,995,2222,3306,2424,5432"
# Allow incoming UDP ports
UDP_IN = "20,21,53,853,80,443"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "11335,443,20,21,53,853,113,123"
# Allow incoming TCP ports
TCP_IN = "35000:35999,20,21,22,25,53,853,80,110,143,443,465,587,993,995,2222,3306,2424,5432,2424"
# Allow outgoing TCP ports
TCP_OUT = "465,143,20,21,22,25,53,853,80,110,113,443,587,993,995,2222,3306,2424,5432"
# Allow incoming UDP ports
UDP_IN = "20,21,53,853,80,443"
# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "11335,443,20,21,53,853,113,123"

how can I block these ports?
 

Attachments

  • nmap.jpg
    nmap.jpg
    54.4 KB · Views: 14
Hi,

1. About your Picture

this is only Show which port opened. this not mean csf not Blocking ports

if you install nginx_apache reverse Proxy

This docs

i can't see in your Picture nginx listen port 80
i see port 80 listining httpd 80/tcp open httpd

use command

netstat -tlpn check ports which service listinging which ports

or you can check the port you want

netstat -tlpn | grep 8080
netstat -tlpn | grep 8081
netstat -tlpn | grep 80

ps: port 8080 for http for Apache proxy
port 8081 for https connetions for Apache Proxy


2. About your csf Setting

csf Setting fine you don't Need Change something ther
whit your csf Setting the port 8080 and 8081 allready Blocking.

check your ip in csf.allow or csf ignore exist, if yes!!! remove your ip !!! ther
if you don't remove test will not work
and Restart csf whit command csf -ra

now test http://yourserverip:8080
you will see it's blocked page will not opened.

now in csf.conf tcp_in, tpc_out
add port 8080 to open it and Restart again csf
csf -ra

test again
test http://yourserverip:8080
now you will see webserver is functioning normally
as you can see port 8080 and sure 8081 whit your Setting blocked
 
drjavab said:
how can I block these ports?
Click to expand...

Do you try nmap on the local server? CSF/LFD does not filter connections from inside server to its own IPs. If you want to see a real picture of opened ports, you will need to scan your server from another remote location, which has an IP not whitelisted on your server.
 
Hostmavi said:
check your ip in csf.allow or csf ignore exist, if yes!!! remove your ip !!! ther
if you don't remove test will not work
and Restart csf whit command csf -ra
Click to expand...

thank you Hostmavi I added my vpn ip address to csf allow list and it shows all open ports. I tested it with other ip address and It's blocked the ports and works!
thank you again
 
You must log in or register to reply here.
Back
Top