CSF dont stop

[iserver]

Hi.

On a machine with CSF (although on others the problem has appeared after writing this ticket)

It has been installed and running for years.
The settings are very restrictive. Only port of entry 53 is open, the rest are not.
Access is only allowed to my ips. One of them dynamic, added to csf.dyndns

Today I couldn't get in. So I logged into the server via KVM (it's a proxmox)

The first thing I tried, was `csf -x` and `iptables -L`

Disabled and no rules.

But my surprise is that the log that appears on the screen continues to show me firewall activity, and among the IPs that I see blocking are those of my connection (connection attempt via SSH to the machine)

Before I had tried ssh connecting to localhost and without problem.


I double check that the csf is disabled.

I do the same after enabling and stopping it with systemctl.


I am desperate because I cannot understand what is happening.


Restarting that proxmox is a pain, and something tells me that although the csf + lfd service is stopped (inactive it says) in memory it continues or I don't understand it.

[iserver]

After to try stop, CSF Firewall, CSF Firewall service, remove CSF Firewall, clean iptables...

Shutdown machine with CSF uninstalled.

Server accesible.

Reinstall csf, Restore /etc/csf/, restart csf and now is accesible.

Is the first time since 1998 working with systems that I see an issue how this.

[alexf]

Don't confuse what CSF and LFD are doing, with the firewall. CSF works hand in hand with "iptables". It is "iptables" that is the brick wall to either allow or deny IP traffic. You can stop CSF and the "iptables" rules are still in place and effect.

In your 2nd post you mentioned in your steps that you "clean iptables", that is what fixed your issue. The command to flush all iptables rules on CentOS is "iptables -F", use only in when in dire straights.

Likely your source IP had triggered a block rule and was blocked going forward. If you trust the source IP, it should have been added to your "csf.allow" table, as those entries will never be blocked.

[ajbird]

there has to be a way to fix this from ssh that does not require a reboot

[ajbird]

CSF Firewall, CSF Firewall service, remove CSF Firewall, clean iptables...


Tried that.. no difference. even after iptables -f the ips still show as blocked in syslog

[alexf]

Please post the output of the command 'iptables -nvL'.
This will show ALL of what is in your iptables and or ipset sets.
If you are using 'ipset' then you will also see something like this in your output.

Code: Select all

 177K  150M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_ALLOW src
Chain DENYIN (1 references)
 pkts bytes target     prot opt in     out     source               destination
 3720  221K LOGDROPIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set chain_DENY src

If you see 'match-set chain' in your iptables output, then these are references to an 'ipset' DB table.

Use the command to see ALL ipset sets (this can be a very long listing).

Code: Select all

ipset list

Or use 'ipset list setname' to display a given set. Example:

Code: Select all

ipset list chain_DENY

If you are still being blocked, then your issue IS NOT iptables or csf. Try looking at other software on your server such as cphulkd that creates its own blocking table (although it can be configured to also add entries to iptables).

Also, check that you may have the SSH port itself blocked to all traffic in iptables.