Control Web Panel
WebPanel => CentOS-WebPanel Bugs => Topic started by: pixelpadre on January 24, 2020, 12:47:25 PM
-
I cannot update unless firewall is disabled. I have whitelisted my IP and that does not fix the problem. This has been a problem for a few years. What is the problem.
-
/usr/sbin/csf -f
-
crontab?
-
crontab?
Nothing to do with it, as is whitelisting your own IP.
-
Flusing didnt work either. Odd that killing csf will fix the problem.
-
Insufficient information for a proper analysis - perhaps an entry in CC_DENY.
Principal debugging method..
tail -f /var/log/messages
In another shell..
/scripts/update_cwp
switch back to messages.
-
ah what is the culprit country
-
thats me
Jan 24 14:43:30 server systemd: Started Session 11041 of user fsdfsf.
Jan 24 14:43:30 server systemd-logind: New session 11041 of user sdfffs.
Jan 24 14:43:33 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=f2:3c :91:46:0b:14:00:1b:54:c2:50:c1:08:00 SRC=198.108.67.45 DST=45.33.10.132 LEN=40 T OS=0x00 PREC=0x00 TTL=42 ID=34384 PROTO=TCP SPT=18673 DPT=2555 WINDOW=1024 RES=0 x00 SYN URGP=0
Jan 24 14:43:39 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=f2:3c:91:46:0b:14:00:1b:54:c2:50:c1:08:00 SRC=66.70.188.152 DST=45.33.10.132 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=55858 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 14:43:33 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=f2:3c :91:46:0b:14:00:1b:54:c2:50:c1:08:00 SRC=198.108.67.45 DST=45.33.10.132 LEN=40 T OS=0x00 PREC=0x00 TTL=42 ID=34384 PROTO=TCP SPT=18673 DPT=2555 WINDOW=1024 RES=0 x00 SYN URGP=0
Jan 24 14:43:39 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=f2:3c:91:46:0b:14:00:1b:54:c2:50:c1:08:00 SRC=66.70.188.152 DST=45.33.10.132 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=55858 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0
-
is there an ip I can whitelist for update.?
-
CC_ALLOW_FILTER = "US,IR,IE,DE,ZA,CU,MX,GB,CA"
-
Can't see anything obvious there, with that short messages snippet. Port 2555 is undefined, so heck knows what worker-17.sfj.corp.censys.io is trying to achieve.
I NEVER use a CC_ALLOW_FILTER and highly advise against it. I do however use CC_DENY with a long list, along with ipset.
My typical use below but your target market(s) will be different:
CC_DENY = "RU,CN,TH,TW,IL,SG,AG,RO,SC,MX,BR"
I suggest you save your current csf profile, reset csf to the defaults, then load the high_protection profile, as a starting point.
csf -h
gives your the profile/reset options.
As is typical and crazily ridiculous /usr/local/cwpsrv/htdocs/resources/admin/include/cron.php (which runs during an update) is ioncube encoded, so I can't debug any further.
-
After I deleted the cc allow filter the upgrade worked. So, I need the CC that is used for update or preferably and IP address to whitelist.
I used cc allow filter because that is what csf recommends.
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
-
Well, I have been using CSF for over a decade and *nix for about three, so must know sod all. :-X
At least you're back working.
You only read what you want to see.. (my emphasis)
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use
IMHumbleO, same applies to CC_ALLOW_FILTER, unless you know precisely what you are doing and the implications. IMO, it ain't worth the hassle.
-
I still need an update IP address to whitelist. If the country is NL, I surely dont want to let everyone in NL to access my server.
-
You're welcome, BTW. ::)
I surely dont want to let everyone in NL to access my server.
..and that is what the firewall will do anyway. Too many port scans, for example, and they'll be blocked.
The obvious thing to do is add NL to CC_DENY and see if the update still works. If it doesn't then you'll need a plan B or C. (You'll get many more attacks from the countries that I deny, as well as USA!)
-
137.74.148.116
198.27.104.40
167.114.21.226
151.80.90.199
Support gave me these ip addys to whitelist but that did not work. CSF is still blocking.
-
137.74.148.116
198.27.104.40
167.114.21.226
151.80.90.199
Add these to csf whitelist.
To others, please do not take this as a recommendation - it is unnecessary and opens a "back-door".
-
So I see from a different thread that you already knew that CC does not work since Jan 1 2020. Did you not think that I should know that my CC is no longer working.
Thanks.....For nothing.
-
So I see from a different thread that you already knew that CC does not work since Jan 1 2020. Did you not think that I should know that my CC is no longer working.
Thanks.....For nothing.
Assuming that you are directing this at me..
CC does indeed work and in fact CSF has introduced two methodologies, if you'd care to RTFM. I have no affiliation with CWP nor CSF, so given the attitude, I think the free support from me to you will now cease. Spoon feeding is not an option.
Good luck.
-
You neglected, intentionally I presume, to mention that you were aware that csf now requires a maxmind license key, as you posted this fact in the csf section of this forum. Your advice would not work as long as we are operating without a license. You knew that a license key was required but did not mention that. No notice is given to anyone of the changes to CSF. Your "free support" is worthless.
-
137.74.148.116
198.27.104.40
167.114.21.226
151.80.90.199
Add these to csf whitelist.
To others, please do not take this as a recommendation - it is unnecessary and opens a "back-door".
If its good enough for CSF updating, its good enough for CWP updating.
FYI CWP support gave me the ip addresses. Would they do that if it was a bad idea?
-
FYI cc_allow_filter seems to have a bug. CSF claims its fixed in 14.01 but I disagree. If I comment out cc_allow_filter then updating the CWP is possible. There are some posts on the CSF forum but the developers seem to be occupied with other fires.