I am running CentOS 7 without cPanel. This night csf/lfd automatically upgraded from v9.11 to 9.13...
and restarted. OK, I did not see any problem at first time, BUT few hours later I discovered
that my site can only be accessed with IP v6, and not with IP v4, which is used by the majority of users.
This is the first time I got problem after csf/lfd update (automatic or manual mode).
So I manually restarted csf/lfd and strangely IP v4 works now (together with IP v6). Temporarily I disable the autoupdate function (set AUTO_UPDATES = "0").
Looking at the csf update report, I found at the end an error message (*ERROR* line:[2524]), could it be the cause of the problem ?
Note : I am really fortunate since I have both IP v4 and IP v6 access, otherwise if I only had IP v4, with the csf/lfd auotupdate this night and the problem,
then I would be stuck since there is no SSH access available (IP v4) to temporarily disable csf/lfd :-(. From this experience, I think the safer way for me to update csf from now on is :
- disable autoupdate
- check the changelog of new version
- set TESTING=1 in csf.conf
- manually upgrade to new version
- carefully check for any error message (usually in bold text) during csf/lfd upgrade
- test if everything still works after upgrade
- restart csf/lfd once and check if everything still works
- if all are OK, then set TESTING=0 in csf.conf
- restart csf/lfd and re-check everything again
Code: Select all
...
LOGDROPIN all opt in !lo out * ::/0 -> ::/0
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT all opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0
LOCALINPUT all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0
LOCALINPUT all opt in !lo out * ::/0 -> ::/0
*ERROR* line:[2524]
Command:[/sbin/iptables -v -A INPUT ! -i lo -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT]
Error:[Another app is currently holding the xtables lock. Perhaps you want to use the -w option?]
You should check through the main output carefully
*WARNING* RESTRICT_SYSLOG is disabled. See SECURITY WARNING in /etc/csf/csf.conf.
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2016-08-31 05:10:04 CEST; 4ms ago
Process: 2357 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 2360 (lfd - starting)
CGroup: /system.slice/lfd.service
└─2360 lfd - startin
...All done.
Changelog: https://download.configserver.com/csf/changelog.txt