User Tools

Site Tools


I cannot access my server - I think my IP got blocked by the firewall


If your public-facing IP address has been blocked in the firewall, the firewall block will need to be removed before you will be able to access the server normally. If you do not have access to an unblocked host (such as a different server that is permitted SSH access to the server you are blocked on),1) you will need to open a Support Ticket for assistance.

In order to unblock your IP address, you will first need to know what IP address to be checking for. If you need us to check the firewall for you, we also will need to know your IP address. Here are examples of websites that will tell you your current public-facing IP address:

After you have connected as root via SSH from the intermediary server, it is time to remove the firewall block. First, check whether your server has ConfigServerFirewall installed. Most of our servers do, but if you are not sure, you can check using which. If you have csf installed in your server, the results should look like this:

  root@host [/]# which csf

Checking via CSF

If you have csf, then you can use the csf commandline options to unblock your IP, once you know whether it is a temporary or permanent block. That can be done with the -g option. Remember to replace the IP address in the command with your current public-facing IP address5)

Temporary Blocks

If the block is a temporary block, the results will look like this:

  root@host [/]# csf -g

  Chain            num   pkts bytes target     prot opt in     out     source               destination         

  DENYIN           4     3640  218K DROP       all  --  !lo    *

  Temporary Blocks: IP: Port: Dir:in TTL:604800 (lfd - 123.456.789.123 (RO/Romania/, more than 60 Apache 403 hits in the last 86400 secs)

The last line gives some information about the reason the IP was blocked, which can give you clues on which additional logs may need to be checked. But the block itself can be removed as follows:

  root@host [/]# csf -tr 123.456.789.123
  csf: 123.456.789.123 temporary block removed
  csf: There are no temporary IP allows

We can check for the IP again to make sure the block was removed:

  root@host [/]# csf -g 123.456.789.123

  Chain            num   pkts bytes target     prot opt in     out     source               destination         
  No matches found for 123.456.789.123 in iptables

If we want to see more details on why the IP was blocked, we will need to check the server logs. In this case it was due to having made too many http requests that resulted in status "403: Forbidden"

Permanent Blocks

Permanent blocks use a different command for removal. Here is an example of the search results for an IP that had a permanent block:

  root@host [/]# csf -g 444.333.222.111

  Chain            num   pkts bytes target     prot opt in     out     source               destination         

  DENYIN           1        0     0 DROP       all  --  !lo    *       444.333.222.111

  DENYOUT          1        0     0 LOGDROPOUT  all  --  *      !lo            444.333.222.111

  csf.deny: # lfd: (PERMBLOCK) 444.333.222.111 (SK/Slovakia/ has had more than 1 temp blocks in the last 604800 secs - Thu Sep  1 15:35:27 2016

Note how the last line starts with csf.deny instead of "Temporary Blocks". In this case if we want to remove the block, we use this command:

  root@host [/]# csf -dr 444.333.222.111
  Removing rule...

As before, we can check to make sure the removal worked:

  root@host [/]# csf -g 444.333.222.111

  Chain            num   pkts bytes target     prot opt in     out     source               destination         
  No matches found for 444.333.222.111 in iptables

As before, if we want to see why the IP had been blocked, we would need to check the server logs. We can see in this case that a permanent block was assigned due to having too many temporary blocks against it, but in this case it happened so long ago that the relevant logs have all rotated, and we will not be able to find the original reason.


If your server is using the CSF/LFD firewall, but your IP address does not show any results when searching for blocks, then it is not an IP-block causing the connection issues. It may be worth checking if the needed ports are open, but it might also be that something other than the firewall is blocking you. If you want to rule out csf as the cause, you can temporarily disable it. However, we strongly recommend before trying this that instead you open a Support Ticket.

Do not leave CSF disabled for any longer than is needed. This is meant only as a troubleshooting measure, both temporary and brief.

If you want to temporarily disable the firewall, to check if that makes the difference between whether you are able to access the server, you can use this command:

  # csf -x

It is important to re-enable the firewall again as quickly as possible. That can be done as follows:

  # csf -e
or if you prefer we check the firewall for you
or the IP address of whoever you are checking for, if it is not you that is blocked
control-panels/misc/i-cannot-access-sites-or-server-looks-like-my-ip-address-got-blocked-on-server-what-can-be-done.txt · Last modified: 2020/06/15 09:35 by Karson N.