Config Server Firewall locking me out of the server

firewall

#1

I have tried to install QuickBox in a fresh installed Ubuntu Server 16.04 running on VMware for testing purposes.
If I select “yes” to install “Config Server Firewall”, after the installation is done and the server is rebooted I lose complete access to the server. Even in the local network. SSH to port 4747 won’t work and the port 443 will give me timeout errors in the browser. If I say “no” to “Config Server Firewall” during install I can access everything normally.


#2

Did you install script in vm window or did you create ssh server then use putty or equivalent software to install script?
Was the ssh working before script was installed?

also the firewall should not block ssh.
the firewall is only meant to block public torrent sites that are listed in
this file block list

btw using public ip will not work unless you log in from another address and also set up server as DMZ in your router and or set up the proper port forwards.

so the only ip that would work is local. i use virtualbox just a preference but it allows you to bridge with your nic, making it a lot easier to log into remotely.


#3

I installed the script via SSH using terminal in OS X El Capitan.
If during install I say no to CSF it will work fine. I install, reboot and use port 4747 instead of 22. Rutorrent also works fine with HTTPS if I don’t install CSF.
If I say yes to CSF it will timeout every time I try to SSH or to login to the panel via browser.

EDIT 1: I am trying to connect to the internal IP via local network and the virtual network card is configured to bridge so the VM has its own IP address.

EDIT 2: I logged directly in the VM and runned the command “sudo csf -x” then tried connecting via SSH and it worked fine. The dashboard worked too. Then I disconected and went back and runned “sudo csf -e” and both SSH and the dashboard will timeout.


#4

Hey @potter,

As a quick review, can you look into the file /etc/csf/csf.allow. Check to see if your home IP was added. By default it should allow the ip you are installing with. The block does not happen dynamically unless the setting is enabled for flooding. Not quite sure how this would be triggered on the initial connect of your server.

Hopefully, we will have a hint as to why this would happen in that file.


#5

I checked and my home IP wasn’t listed there. Neither the internal or the external. Only the cloudflare whitelisted IPs were there. I added mine to the list and I could access normally. Thanks for the tip.
I am going to install the script in a OVH server. CSF will only allow connections to whitelisted IPs, right? What if my home IP address changes? I don’t have a stactic IP but my ISP usually changes it only once or twice per year.
Also, do you recommend adding those cloudflare whilelisted IPs during install o not? What’s the point in adding them?


#6

Those only need to be whitelisted by anyone who is using CloudFlare as a free DNS provider for their seedboxes. This is not needed if you are just accessing your seedbox via IP and/or are not even using CloudFlare.

The allow list is only for permitting accesses via ssh or any of the ports listed in the csf.conf file. However, there shouldn’t be access level blocks like what you have encountered. I would say to also check the /etc/csf/csf.deny list for your home IP. I am not sure what would trigger this however as there are no official rules in the csf.conf for blocking… unless you failed to authenticate via SSH more than 5 times.