CSF blocking custom SSH port

Hello.
I've installed Direct Admin and it comes with CSF. I've configured a custom port number in sshd_config file and CSF blocks the connection.

I don't want to whitelist my current IP because it's dynamic.

What's the best configuration for this?

Comments

  • AbdullahAbdullah Hosting ProviderOG
    edited October 2020

    tcp|in|d=custom_port|s=IP_Address
    opens the custom port for your IP only
    If ip is dynamic, maybe u can use ur isp ip range in IP_Address

    Edit: just realized you don't want to whitelist current IP.

  • MichaelCeeMichaelCee OGServices Provider

    Reinstall CSF for new SSH port to be included or just manually whitelist

  • edited October 2020

    There is never any issue with CSF ssh custom port - just add the port to the list of other ports. Then csf -r. Change sshd_config and systemctl restart sshd
    As for dynamic IP: setup a free dyndns account (there are a few) and add your new FQDN to csf.ignore. Change the relevant dyndns entries in csf.conf -never get locked out by accident.
    Done.
    (The paranoid amongst us connect via a VPN, with a fixed IP, circumventing the dynamic IP issue.)

    Thanked by (2)skorous imok

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • edited October 2020

    /etc/csf/csf.conf - or use the GUI

    TCP_IN = add custom port to the end
    DYNDNS = 600
    DYNDNS_IGNORE = On

    Correction: add your new FQDN to csf.ignore csf.dyndns

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • MichaelCeeMichaelCee OGServices Provider

    Can I know, did you change SSH port before or after installing DirectAdmin?

  • I changed mine before and then just added it to the list of inbound ports in the CSF config page in DA.

  • To be on the safe side, I (almost) always change port AFTER installing a control panel. I think it was HestiaCP that reverted the port during install, the 1st time I installed it. :-o

    Thanked by (1)imok

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • @imok said:
    Hello.
    I've installed Direct Admin and it comes with CSF. I've configured a custom port number in sshd_config file and CSF blocks the connection.

    I don't want to whitelist my current IP because it's dynamic.

    What's the best configuration for this?

    Do what Alibaba would have done.

    Open the port.

    Thanked by (1)imok
  • Thank you, added to TCP_IN and everything OK. Blocking failed attempts still works fortunately.

    I was in doubt because with cPanel I didn't configured it in CSF.

    @SmallWeb said: Can I know, did you change SSH port before or after installing DirectAdmin?

    @AlwaysSkint said: To be on the safe side, I (almost) always change port AFTER installing a control panel.

    I did it before installing. That may be the difference.

  • edited October 2020

    @imok said: I was in doubt because with cPanel I didn't configured it in CSF.

    With cPanel, CSF is normally installed afterwards, whereby it scans for current open ports and adds the appropriate ssh one to TCP_IN. That's the default action of CSF, during its' installation. Perhaps with panels that integrate CSF during installation, there are 'tweaks' done to sshd_config after the CSF install part (not good).

    Thanked by (1)imok

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • MichaelCeeMichaelCee OGServices Provider

    Tbh, don't recall having the same issue with DA/CSF but I uninstall and reinstall CSF by default.

  • edited October 2020

    @SmallWeb said: .. but I uninstall and reinstall CSF by default

    .. which would circumvent any issue. ;) Assuming you haven't rebooted and tried to ssh in to the server i.e. used the GUI to reinstall.

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • MichaelCeeMichaelCee OGServices Provider
    edited October 2020

    @AlwaysSkint said:

    @SmallWeb said: .. but I uninstall and reinstall CSF by default

    .. which would circumvent any issue. ;) Assuming you haven't rebooted and tried to ssh in to the server i.e. used the GUI to reinstall.

    Nah, I mean I check SSH login access and common ports but just uninstall/reinstall CSF in case I miss anything not so obvious.

    Had plenty of my own fuck ups so I'm usually in VNC ready to revert.

    Thanked by (1)AlwaysSkint
  • @SmallWeb said:

    @AlwaysSkint said:

    @SmallWeb said: .. but I uninstall and reinstall CSF by default

    .. which would circumvent any issue. ;) Assuming you haven't rebooted and tried to ssh in to the server i.e. used the GUI to reinstall.

    Nah, I mean I check SSH login access and common ports but just uninstall/reinstall CSF in case I miss anything not so obvious.

    Had plenty of my own fuck ups so I'm usually in VNC ready to revert.

    I have my own default set of CSF configs, that gets auto downloaded on every new install. Makes life easier :)

    Thanked by (2)MichaelCee AlwaysSkint
  • MichaelCeeMichaelCee OGServices Provider

    @seriesn said:

    @SmallWeb said:

    @AlwaysSkint said:

    @SmallWeb said: .. but I uninstall and reinstall CSF by default

    .. which would circumvent any issue. ;) Assuming you haven't rebooted and tried to ssh in to the server i.e. used the GUI to reinstall.

    Nah, I mean I check SSH login access and common ports but just uninstall/reinstall CSF in case I miss anything not so obvious.

    Had plenty of my own fuck ups so I'm usually in VNC ready to revert.

    I have my own default set of CSF configs, that gets auto downloaded on every new install. Makes life easier :)

    Another thing for my to-do list! :smiley:

    Thanked by (1)AlwaysSkint
  • @seriesn said:

    @SmallWeb said:

    @AlwaysSkint said:

    @SmallWeb said: .. but I uninstall and reinstall CSF by default

    .. which would circumvent any issue. ;) Assuming you haven't rebooted and tried to ssh in to the server i.e. used the GUI to reinstall.

    Nah, I mean I check SSH login access and common ports but just uninstall/reinstall CSF in case I miss anything not so obvious.

    Had plenty of my own fuck ups so I'm usually in VNC ready to revert.

    I have my own default set of CSF configs, that gets auto downloaded on every new install. Makes life easier :)

    Nice.

    Where can I download the instructions?

    /joke

    Thanked by (1)AlwaysSkint
Sign In or Register to comment.