Locked Yourself Out? Rescue your IP from CSF’s Temporary Blacklist
We have a few Red Hat Enterprise Linux servers, all run ConfigServer and Security (CSF), which is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers. Amongst various other things, it looks for port scans, multiple login failures and other things that it thinks are ominous, and locks out the originating IP address by rewriting the iptables firewall rules.
For example, if you try to connect to the same server via http, https, ssh and svn within some short window of time, you are quite likely to incur its wrath. Developers at Industrial Logic often lock themselves out by getting blacklisted.
Generally when this happens, we ssh into one of our other server, connect to the server that has blacklisted us, and execute the following command to see what is going on:
$ sudo /usr/sbin/csf -t
A/D | IP address | Port | Dir | Time To Live | Comment |
---|---|---|---|---|---|
DENY | 117.193.150.62 | * | in | 9m 58s | lfd – *Port Scan* detected from 117.193.150.62 (IN/India/-). 11 hits in the last 36 seconds |
As you can see, csf blacklisted my IP for port scanning.
If your IP is the only record, you can flush the whole temporary block list by executing:
$ sudo /usr/sbin/csf -tf
DROP all opt — in !lo out * 117.193.150.62 -> 0.0.0.0/0
csf: 117.193.150.62 temporary block removed
csf: There are no temporary IP allows
Alternatively you can execute the following command to just remove a specific IP:
$ sudo /usr/sbin/csf -tr
The easiest way to find your (external) IP address is to visit http://www.whatsmyip.org/
If you have a static IP, then you can whitelist yourself by:
$ sudo /usr/sbin/csf -a