CC_DENY blocked IP in /etc/csf/csf.ignore file
Posted: 11 Dec 2014, 17:11
I have explicitly allowed an IP in /etc/csf/csf.{allow,ignore}. I understand allowing in /etc/csf/csf.allow will allow the IP to reach all ports on the server, while /etc/csf/csf.ignore should prevent LFD from blocking the IP. Upon client's request due to a lot of attempted accesses on server we have Country Code blocking enabling only a few local countries and an exception or so for developers. I've noticed through teamviewer session with client that they're being blocked due to a CC_DENY rule out that I will post below. To allow access again I can disable the firewall with csf -x. Though shortly after the rules finish loading I'm blocked access again and the Firewall entry appears in /var/log/messages.
Dec 11 16:01:10 aws kernel: Firewall: *CC_DENY* IN=eth0 OUT= MAC=12:85:0a:62:86:f7:12:88:53:bf:88:46:08:00 SRC=10.0.1.1 DST=10.0.1.151 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=3 CODE=4 [SRC=10.0.1.151 DST=[IP ADDRESS REMOVED] LEN=1504 TOS=0x00 PREC=0x00 TTL=64 ID=20750 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1500
Just further explanation of the /var/log/message entry, this is a CPNatt'd server with AWS through a VPC, so DST with the private address is routed correctly internally through CPanel.
I also have the following in /etc/csf/csf.conf
CC_ALLOW_FILTER = "US,IN,PH,CA,GB"
CC_ALLOW_PORTS = "US" # Just testing
CC_ALLOW = "US" # Just testing
CC_IGNORE = "US" # Just testing
I have verified that csf -r is ran after changing values. I have just recently lost access to system though, am looking to gain again for further testing. Though I would say that because of the entry in /etc/csf/csf.ignore there should be no CC_DENY level blocking for the IP. Perhaps if this is not the case there should be an equal CC_IGNORE field to whitelist anything from a CC_DENY level block.
Dec 11 16:01:10 aws kernel: Firewall: *CC_DENY* IN=eth0 OUT= MAC=12:85:0a:62:86:f7:12:88:53:bf:88:46:08:00 SRC=10.0.1.1 DST=10.0.1.151 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=3 CODE=4 [SRC=10.0.1.151 DST=[IP ADDRESS REMOVED] LEN=1504 TOS=0x00 PREC=0x00 TTL=64 ID=20750 DF PROTO=TCP INCOMPLETE [8 bytes] ] MTU=1500
Just further explanation of the /var/log/message entry, this is a CPNatt'd server with AWS through a VPC, so DST with the private address is routed correctly internally through CPanel.
I also have the following in /etc/csf/csf.conf
CC_ALLOW_FILTER = "US,IN,PH,CA,GB"
CC_ALLOW_PORTS = "US" # Just testing
CC_ALLOW = "US" # Just testing
CC_IGNORE = "US" # Just testing
I have verified that csf -r is ran after changing values. I have just recently lost access to system though, am looking to gain again for further testing. Though I would say that because of the entry in /etc/csf/csf.ignore there should be no CC_DENY level blocking for the IP. Perhaps if this is not the case there should be an equal CC_IGNORE field to whitelist anything from a CC_DENY level block.