If your public-facing IP address has been blocked in the firewall, the firewall block will need to be removed before you will be able to access the server normally. If you do not have access to an unblocked host (such as a different server that is permitted SSH access to the server you are blocked on),1) you will need to open a Support Ticket for assistance.
In order to unblock your IP address, you will first need to know what IP address to be checking for. If you need us to check the firewall for you, we also will need to know your IP address. Here are examples of websites that will tell you your current public-facing IP address:
After you have connected as
root via SSH from the intermediary server, it is time to remove the firewall block. First, check whether your server has ConfigServerFirewall installed. Most of our servers do, but if you are not sure, you can check using
which. If you have
csf installed in your server, the results should look like this:
root@host [/]# which csf /usr/sbin/csf
If you have
csf, then you can use the
csf commandline options to unblock your IP, once you know whether it is a temporary or permanent block. That can be done with the
-g option. Remember to replace the IP address in the command with your current public-facing IP address5)
If the block is a temporary block, the results will look like this:
root@host [/]# csf -g 220.127.116.11 Chain num pkts bytes target prot opt in out source destination DENYIN 4 3640 218K DROP all -- !lo * 18.104.22.168 0.0.0.0/0 Temporary Blocks: IP:22.214.171.124 Port: Dir:in TTL:604800 (lfd - 123.456.789.123 (RO/Romania/host.blocked.com), more than 60 Apache 403 hits in the last 86400 secs)
The last line gives some information about the reason the IP was blocked, which can give you clues on which additional logs may need to be checked. But the block itself can be removed as follows:
root@host [/]# csf -tr 123.456.789.123 csf: 123.456.789.123 temporary block removed csf: There are no temporary IP allows
We can check for the IP again to make sure the block was removed:
root@host [/]# csf -g 123.456.789.123 Chain num pkts bytes target prot opt in out source destination No matches found for 123.456.789.123 in iptables
If we want to see more details on why the IP was blocked, we will need to check the server logs. In this case it was due to having made too many http requests that resulted in status "403: Forbidden"
Permanent blocks use a different command for removal. Here is an example of the search results for an IP that had a permanent block:
root@host [/]# csf -g 444.333.222.111 Chain num pkts bytes target prot opt in out source destination DENYIN 1 0 0 DROP all -- !lo * 444.333.222.111 0.0.0.0/0 DENYOUT 1 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 444.333.222.111 csf.deny: 126.96.36.199 # lfd: (PERMBLOCK) 444.333.222.111 (SK/Slovakia/444.333.222.111.host.blocked.com) has had more than 1 temp blocks in the last 604800 secs - Thu Sep 1 15:35:27 2016
Note how the last line starts with
csf.deny instead of "Temporary Blocks". In this case if we want to remove the block, we use this command:
root@host [/]# csf -dr 444.333.222.111 Removing rule...
As before, we can check to make sure the removal worked:
root@host [/]# csf -g 444.333.222.111 Chain num pkts bytes target prot opt in out source destination No matches found for 444.333.222.111 in iptables
As before, if we want to see why the IP had been blocked, we would need to check the server logs. We can see in this case that a permanent block was assigned due to having too many temporary blocks against it, but in this case it happened so long ago that the relevant logs have all rotated, and we will not be able to find the original reason.
If your server is using the CSF/LFD firewall, but your IP address does not show any results when searching for blocks, then it is not an IP-block causing the connection issues. It may be worth checking if the needed ports are open, but it might also be that something other than the firewall is blocking you. If you want to rule out csf as the cause, you can temporarily disable it. However, we strongly recommend before trying this that instead you open a Support Ticket.
Do not leave CSF disabled for any longer than is needed. This is meant only as a troubleshooting measure, both temporary and brief.
If you want to temporarily disable the firewall, to check if that makes the difference between whether you are able to access the server, you can use this command:
# csf -x
It is important to re-enable the firewall again as quickly as possible. That can be done as follows:
# csf -e