Re-installing CSF using Zeiters' script or not?

[webunity]

I have issues with clients connecting to my websites. I think i might have tracked it down to ipads with safari causing that they are not able to connect to my server;
Does anybody see anything strange in the config below which could cause a 'temporary' ban on IPs (within 5 minutes the site access is restored btw)?

I optionally would like to re-install CSF and Firewall to make sure it is on its' defaults; but i am not sure if i would need to use the script from Zeiter (https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm) or the 'install.directadmin.sh' script which is now part of the CSF package..

If i compare the install from 2018 with the current config this is the difference:

SETTING	1542219055_pre_v12_08_upgrade	current
DIRECTADMIN_LOG_R	/var/www/html/roundcube/logs/errors	/var/www/html/roundcube/logs/errors.log
IGNORE_ALLOW	0	1
IPV6	0	1
LF_DIRECTADMIN	5	10
LF_DIRECTADMIN_PERM	1	3600
LF_EMAIL_ALERT	1	0
LF_FTPD	10	20
LF_FTPD_PERM	1	3600
LF_HTACCESS	5	10
LF_HTACCESS_PERM	1	3600
LF_IMAPD	10	20
LF_IMAPD_PERM	1	3600
LF_MODSEC	5	25
LF_PERMBLOCK_ALERT	1	0
LF_POP3D	10	20
LF_POP3D_PERM	1	3600
LF_SMTPAUTH	5	20
LF_SMTPAUTH_PERM	1	3600
LF_SSHD	5	10
LF_SSHD_PERM	1	86400
LT_EMAIL_ALERT	1	0
RESTRICT_SYSLOG	0	3
SYSLOG_CHECK	0	300
TCP6_IN	20,21,22,25,53,80,110,143,443,465,587,993,995,2222	20,21,22,25,53,80,110,143,443,465,587,993,995,2222,35000:35999
TCP6_OUT	20,21,22,25,53,80,110,113,443,587,993,995,2222	20,21,22,25,53,80,110,113,443,587,993,995,2222,35000:65535
TCP_IN	20,21,22,25,53,80,110,143,443,465,587,993,995,2222	20,21,22,25,53,80,110,143,443,465,587,993,995,3306,2222,35000:35999
TCP_OUT	20,21,22,25,53,80,110,113,443,587,993,995,2222	20,21,22,25,53,80,110,113,443,587,993,995,3306,2222,35000:65535
TESTING	1	0
UDP_IN	20,21,53	20,21,53,33434:33523
WAITLOCK	0	1

Any thoughts where i might look at?

 

[RoseHosting]

If you want to track why an IP is blocked, you can check it in /var/log/lfd.log or /etc/csf/csf.deny

 

[Richard G]

Or if integrated with DA also in DA's brute force manager overview.

 

[MaXi32]

I optionally would like to re-install CSF and Firewall to make sure it is on its' defaults; but i am not sure if i would need to use the script from Zeiter (https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm) or the 'install.directadmin.sh' script which is now part of the CSF package..

Based on the title of your original question, you can use the following script by Poralix (might be part of da script):

http://files.directadmin.com/services/all/csf/csf_install.sh

When you install directadmin with auto argument, it will install CSF together and I think the auto mode uses the above script to install CSF. CSF installation script is very portable, if it detects your server has directadmin installed it will automatically execute its own install.directadmin.sh. You can inspect csf.tar.gz file that has the following content:





In brief, when you execute this script http://files.directadmin.com/services/all/csf/csf_install.sh, it also run another script call install.directadmin.sh if your server has directadmin installed and CSF will install in directadmin-way (like automatically add da port 2222 etc..)

 

[webunity]

@Richard G if i can't find my IP in the brute force manager, and all access to my server is sometimes not possible (for about 1-2 minutes) from my IP; where can i look at next? After this time all is resolved but it sucks that i get these intermitted connection problems.

 

[Richard G]

There are 3 places to look for an ip which is blocked.
/usr/local/directadmin/data/admin/ip_blacklist
and
/etc/csf/csf.deny
and
/var/lib/csf/csf.tempban

But if it really are connection issues and not blocks I wouldn't know where to look. I would start with looking in apache logfiles.

Also I would make sure to have your ip in both the csf.allow and csf.ignore files (and restart csf and lf afterwards) to prevent blacklist.
Next to that, add your ip in:
/usr/local/directadmin/data/admin/ip_whitelist
and see if that helps.

If your ip will appear in the csf.tempban option, there must be a log entry in /var/log/lfd.log on why that happened normally.

 

[ikkeben]

@Richard G if i can't find my IP in the brute force manager, and all access to my server is sometimes not possible (for about 1-2 minutes) from my IP; where can i look at next? After this time all is resolved but it sucks that i get these intermitted connection problems.

IS da Updated to version 1.62.6 while there is / where problems, but check and read changelogs, and take care of backups.

If not solved with that versions try to reach DA support / ticket , if solved please mention this here in your thread, but also mention this in >

DirectAdmin 1.62.6 has been released

Hello, DirectAdmin 1.62.6 has been released. This is a hotfix release to address the "Brotoli BestSpeed" SSL compressor issue. This compressor has been removed for now, and we'll re-add it with the new version once we have time to test it out. To get the update, go to: Admin Level »...

forum.directadmin.com

 

[webunity]

Well turns out it is not (only) my IP but also customers are facing issues as it seems. So it is definately something that is temporarily blocking sites. Therefore i was wondering if there are any other places to look for besides the above pasted config.

Btw, I have updated DirectAdmin to the latest version and will report what i find.