ConfigServer Community Forum

Hello,

I have searched the forums and do not see this specific question.

I am running a new installation of CSF v6.39 on a Centos 5.1 server using WHM 11.4.31 web interface. This is a quad dual xeon server w/32GB ram.

I have CSF config'd for CC_ALLOW_FILTER=US

After 2 unsuccessful restarts, I disabled fast start and firewall status is shown to be running according to the banner at the top of the page, that says 'enabled and running'.

How can I prove out that it is correctly blocking or not allowing non-US IP's? The reason for my concern is I am still getting about 5 email alerts per day as follows:


Time: Fri Jan 3 15:50:11 2014 -0500
IP: 124.115.18.10 (CN/China/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block

Log entries:

Jan 3 15:50:10 hostname sshd[23652]: refused connect from 124.115.18.10 (124.115.18.10)
Jan 3 15:50:10 hostname sshd[23655]: refused connect from 124.115.18.10 (124.115.18.10)
Jan 3 15:50:10 hostname sshd[23658]: refused connect from 124.115.18.10 (124.115.18.10)
Jan 3 15:50:10 hostname sshd[23661]: refused connect from 124.115.18.10 (124.115.18.10)
Jan 3 15:50:10 hostname sshd[23664]: refused connect from 124.115.18.10 (124.115.18.10)


This leads me to believe the 'allow' is not working or loading properly. I could be completely wrong, but other than finding someone overseas to try to pull up my web page, is there a command I can run, or something I can look for in the iptables.

Thanks in advance,
Vlus

As an update to my own post, I ran view IP Table Rules from the CSF interface, and see about 13,358 lines of IP addresses starting with 3.0.0.0/10 and ends with 190.92.202.0/24.

Can I presume these are all the US addresses? Where in the iptables does it explicitly block all others, I'm having trouble understanding or seeing this (my fault i am a newb to iptables)

Finally, if the CC_ALLOW_FILTER = US is indeed working, why am I still getting the alerts as I pasted in my initial post, above.


Thank you very much, in advance, for any light shed :-)
Vlus

VLus,
using CC_ALLOW_FILTER is not blocking any other country, you are just telling the IPTABLES not to block any US IP but the other IPs will continue to access your server.

If you don't want to allow any other IPs from around the world, your approach should be something different, like blocking all the ports tcp/udp in/out and only grant access to US via CC_ALLOW_PORTS, I am not telling you to do this, this is just an example; you need to define what is what you want and apply this to the firewall.

Sergio

Ahhhh. It would seem I was misunderstanding CC_ALLOW_FILTER, thinking it was essentially blocking all, but allowing in my case US. It seems that is not the case.

Let me please ask this follow up. Rather than me blocking quite a few CC codes specifically, since I understand that would create immense IP tables, is there "any" way to say "block all except (in my case US)". Some folks may question this logic, but I have a local business and really only deal with a very fractional portion of the US and nothing outside the country.

Thanks in advance for your knowledgable answer!
Vlus