CSF rejecting MANY users!

E

eliassorensen

Verified User
Joined
Dec 23, 2011
Messages
10
Hi there,

I have CSF installed on my server, but lately, I've been contacted by customers saying they cannot access my server.

I have tried tracerouting from http://ping.eu/traceroute/, and this is what I get....

CSF enabled

1 * * *
2 hos-tr3.juniper2.rz10.hetzner.de 213.239.224.65 de 0.148 ms 0.148 ms
hos-tr4.juniper2.rz10.hetzner.de 213.239.224.97 de 0.144 ms
3 hos-bb1.juniper1.ffm.hetzner.de 213.239.240.224 de 8.402 ms 5.090 ms
hos-bb1.juniper4.ffm.hetzner.de 213.239.240.230 de 9.451 ms
4 r1fra1.core.init7.net 77.109.135.17 ch 4.947 ms 4.882 ms
r1fra1.core.init7.net 82.197.166.85 ch 4.862 ms
5 r1fra2.core.init7.net 77.109.128.138 ch 7.977 ms 12.312 ms 5.007 ms
6 r1ams2.core.init7.net 77.109.128.201 ch 13.550 ms 13.525 ms 13.522 ms
7 * * *
8 * * *
9 * * *
No reply for 3 hops. Assuming we reached firewall.

CSF disabled

1 * * *
2 hos-tr2.juniper1.rz10.hetzner.de 213.239.224.33 de 11.972 ms
hos-tr1.juniper1.rz10.hetzner.de 213.239.224.1 de 11.968 ms
hos-tr3.juniper2.rz10.hetzner.de 213.239.224.65 de 0.136 ms
3 hos-bb1.juniper4.ffm.hetzner.de 213.239.240.230 de 5.037 ms 5.037 ms 5.022 ms
4 r1fra1.core.init7.net 82.197.166.85 ch 13.715 ms 13.779 ms 13.843 ms
5 r1fra2.core.init7.net 77.109.128.138 ch 11.849 ms 4.979 ms 4.998 ms
6 r1ams2.core.init7.net 77.109.128.201 ch 21.664 ms 21.769 ms 13.524 ms
7 * * *
8 * * *
9 fiber.digsat.org 109.236.83.193 nl 15.846 ms 15.843 ms 15.873 ms

Also, with just-ping.com I get a lot of package loss with CSF enabled.

Anyone else knowing about this? Right now I have disabled CSF, as I cannot have customers that cannot connect...

Any fix?
 
I just noticed that CSF per default didn't allow traceroutes, so I just put 33434:33523 into UDP_IN.

But this still doesn't solve why users cant connect.
 
Make sure it's CSF. Turn it off and have a user try to reach the server. If the user can collect check logs, look to see if user IP is being blocked for some reason.

Jeff
 
- To turn off CSF/LFD: csf -x
- By default indeed traceroute is not possible.
- Check the logs why the customers get blocked, we have it on almost all our servers without any problems
- We don't have packet loss with using CSF/LFD, so I guess its not CSF/LFD causing the loss.

# Allow incoming TCP ports
TCP_IN = "21,25,53,80,110,143,443,587,993,995,2222,3306"

# Allow outgoing TCP ports
TCP_OUT = "21,22,25,37,53,80,110,143,443,465,587,993,995,2222,3306,63,43"

# Allow incoming UDP ports
UDP_IN = "20,21,53,953"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "20,21,53,113,123,953"
Click to expand...
NOTE: If you don't use the default SSH port 22 then change it before using.

Also when using CSF/LFD be sure your own IP is in the csf.allow, so you won't be blocked.
 
You must log in or register to reply here.
Back
Top