Hi,
I'm having trouble getting CSF firewall to work...
My understanding is that the default behaviour is block/deny all. However this doesn't seem to be happening.
In csf.allow I have:
my.ip.address.here
And then I want to "Block all other access to port 22 / ssh"
I would have expected this to work by default if the default is deny all but nope.
I added the following to csf.deny:
tcp|in|d=22|s=0.0.0.0
And still I can SSH in from another IP
And if I add:
0.0.0.0/22
Again I can still SSH from another IP
I can only block IPs by using:
0.0.0.0/0
However this blocks ALL ports, so the end user cannot even see port 80/website.
Ultimately I want to:
Allow anyone to see port 80 and 433
Block everyone apart from my IPs on port 22 and 21
Any advice, most appreciated.
Many thanks
Block all expect .... on port 22
Re: Block all expect .... on port 22
Hello rjbathgate,
It blocks all ports except for
What you need to do is open csf.conf and simply make sure your TCP_IN option directive only contains port 80 and 443. Then proceed to whitelisting only the IPs you want access to all ports.
With below example in your csf.conf you should be able to achieve what you desire.
Though I must note that closing all ports is safe but be sure you aren't closing off any critical services like DNS or email if you wish to use those.
I also would recommend you read through all options of the csf.conf, although maybe not a problem for you but csf by default monitors failed login attempts of ssh, cpanel and htacces even which could issue bans regardless, so be sure to add your ips to the csf.ignore
Configserver is simply an (advanced) shell around regular iptables in linux.My understanding is that the default behaviour is block/deny all. However this doesn't seem to be happening.
It blocks all ports except for
- Ports that are opened in csf.conf TPC_IN and UDP_IN values (for both ipv4 and ipv6)
- IPs that are whitelisted in allow.conf (for either specific ports or everything)
There is no need for adding the above to deny.conf, you may remove it.I added the following to csf.deny:
tcp|in|d=22|s=0.0.0.0
What you need to do is open csf.conf and simply make sure your TCP_IN option directive only contains port 80 and 443. Then proceed to whitelisting only the IPs you want access to all ports.
With below example in your csf.conf you should be able to achieve what you desire.
Code: Select all
TCP_IN = 80,443I also would recommend you read through all options of the csf.conf, although maybe not a problem for you but csf by default monitors failed login attempts of ssh, cpanel and htacces even which could issue bans regardless, so be sure to add your ips to the csf.ignore
-
rjbathgate
- Junior Member
- Posts: 2
- Joined: 23 Sep 2015, 09:32
Re: Block all expect .... on port 22
Hi
Ah ha
What you need to do is open csf.conf and simply make sure your TCP_IN option directive only contains port 80 and 443. Then proceed to whitelisting only the IPs you want access to all ports.
That makes sense, thanks.
However... in the meantime I have found, and set up the built in "Host Access Control" option in WHM -- didn't know it was built in until yesterday!
Thanks anyway for your help :-)
Ah ha
What you need to do is open csf.conf and simply make sure your TCP_IN option directive only contains port 80 and 443. Then proceed to whitelisting only the IPs you want access to all ports.
That makes sense, thanks.
However... in the meantime I have found, and set up the built in "Host Access Control" option in WHM -- didn't know it was built in until yesterday!
Thanks anyway for your help :-)
Re: Block all expect .... on port 22
I would still recommend CSF, it implements numerous safety conventions and has a nice checklist to help you properly secure your server ( Cpanel still leaves a lot to chance ).