Whitelisting a Dynamic IP in CSF

The ConfigServer Firewall is one of the better options as far as firewalls.  But accidentally triggering blocks in CSF on your own server is really annoying.

OMG, is my server down?  No, it’s not down, you just can’t access it.  Ideally you should find whatever it is at your location that’s triggering blocks and then fix it (often outdated email logins set up on a client you’ve forgotten about).  You can see exactly what’s triggering blocks in the CSF log file in /var/log/lfd.log.  But what if Kevin left his workstation locked while he went on vacation and you had to change his email password and now your location is getting blocked for incorrect email logins?

You could get a VPN with a static IP and whitelist that IP in the firewall.    That’s useful in other contexts.  For example, some networks block everything but standard web and email ports, so if you need to SSH into your server or access WHM/cPanel, that’s problematic.  Personally, I run OpenVPN on a $5 Digital Ocean droplet on TCP port 995 (the default POP3 SSL port) so that solves that problem if I’m at a hospital or library or somewhere that’s aggressive about locking down ports.   And then there are other reasons to use a VPN while you’re on public wifi, but that’s another matter.

But as far as keeping you from triggering blocks in the firewall when you’ve got a dynamic IP and you don’t want to fool with a VPN, there’s an easy enough alternative.

First, get a hostname for your dynamic IP.

If you have a domain name you can use, set that up at CloudFlare and configure a client at your location to keep the A record updated in case it changes.  Check this out for more information.

This script is what I personally use to keep the A record for my domain updated at CloudFlare.  I’ve got it set up as a cronjob running on my Ubuntu desktop at home.  What’s nice about using CloudFlare with a FQDN is that you can set up CNAME records for subdomains and they’ll automatically resolve to your location.

If you don’t have an available domain for this, a free service such as No-IP.com might work for you. There are other services out there, but that’s outside the scope of this article.

Now that you’ve got your hostname

Enter it in /etc/csf/csf.dyndns

root@miss [/etc/csf]# cat csf.dyndns
###############################################################################
# Copyright 2006-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following FQDN’s will be allowed through the firewall. This is controlled
# by lfd which checks the DNS resolution of the FQDN and adds the ip address
# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP
# updates every DYNDNS seconds if set.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is
# installed, then all IPv6 AAAA IP address records will also be allowed.
#
# Only list fully qualified domain names (FQDN’s) in this file, either on their
# own to allow full access, or using Advanced Allow/Deny Filters (see
# readme.txt)
#
myhostname.tld

Modify the config file /etc/csf/csf.conf for the following. Temporary blocks usually expire in 5 minutes, so if you set the interval to check for updates every five minutes, then by the time the temporary block expires, your new IP should be whitelisted.

# If you wish to allow access from dynamic DNS records (for example if your IP
# address changes whenever you connect to the internet but you have a dedicated
# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
# records in csf.dyndns and then set the following to the number of seconds to
# poll for a change in the IP address. If the IP address has changed iptables
# will be updated.
#
# If the FQDN has multiple A records then all of the IP addresses will be
# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
# also be allowed.
#
# A setting of 600 would check for IP updates every 10 minutes. Set the value
# to 0 to disable the feature
DYNDNS = “300”

# To always ignore DYNDNS IP addresses in lfd blocking, set the following
# option to 1
DYNDNS_IGNORE = “1”

Now, restart CSF and LFD:

csf -ra

And you shouldn’t trigger blocks again (or just a single temporary block), even if your IP changes.

Leave a Reply