I went and got myself blocked - help please!

[qbacca]

I'm a CPanel newbie, so be nice...

I know that there is a command, /usr/sbin/killroute that adds an IP address to some sort of &ignore& list.

Well, somehow I have managed to get myself placed on that ignore list. I have broadband with a static IP, so I can't just renew my IP address.

Where is this &ignore& list, and how do I get my IP address off of it??? Currently I do not have any access to my own webserver

Thanks!

 

[feanor]

/scripts/unblockip

 

[qbacca]

no go

I just ran /scripts/unblockip, and I get:

What ip do you want to unblock? XX.XXX.XXX.XXX
SIOCDELRT: No such process

Any other ideas or suggestions?

 

[feanor]

what's in /etc/hosts.deny ?
Your IP?

 

[qbacca]

hosts.deny is empty

Other than a commented out message, hosts.deny is empty.

I really appreciate your taking the time to help me... any other suggestions?

Marc

 

[feanor]

How are you deeming yourself &blacklisted& or &blocked& ?

Can you connect to any service at all, on your machine?
If not there is definitely something in the routing table on your server that is blocking you completely.

 

[qbacca]

No connections of any type

I cannot connect in any way shape or form - I have tried ping, tracert, http, ssh, pop, smtp... I always get host not found, or host not available. For tracert, the last hop that is shown is the router right before the server.

I don't think the router is the problem, as I can connect to other servers behind the same router.

If I go to anonymizer.com I can get in to the server via http... my dialup allows me to connect, my partner can connect, and the various tracert tools around the internet can all connect...

Thanks,
Marc

 

[Mat]

You might check ipchains...


ipchains -L

If your listed in the input... You can flush it by:

ipchains -F input

 

[jdatwood]

IP chains not the prob

That was tried 2 days ago. Not the prob unfortunately

 

[kwimberl]

take a look in /var/portsentry

 

[jdatwood]

DIR doesn't exist

I can't find
/var/portsentry

It's not listed....

I was able to find
/var/log/portsentry

If I find the IP in one of these logs, how can I unban the IP via portsentry?

 

[kwimberl]

/var/portsentry is a directory. cd to it and it should be obvious from there.

 

[jdatwood]

It might be on your server, but it's not on ours. Here is a list of my /var DIR

root@draco [/var]# dir
./ autoinstall.tgz ftp/ lock/ nis/ run/ webmin/
../ cache/ kerberos/ log/ opt/ spool/ www/
arpwatch/ cpanel/ lib/ mail@ preserve/ tmp/
autoinstall/ db/ local/ named/ proftpd.pid tux/
root@draco [/var]#

 

[qbacca]

re: /var/portsentry

We definately do not have a /var/portsentry directory:

root@draco [/]# cd /var/portsentry
bash: cd: /var/portsentry: No such file or directory

If it's supposed to be there, could that be the problem? Would an uninstall and reinstall of Cpanel help? (I'm a Windoze guy, so that's how my brain works ;-)


(jdatwood and I are together, btw)

 

[kwimberl]

Go to your root dir and do:

locate portsentry

 

[Dotcoms]

Do the following:-

vi /etc/portsentry/portsentry.conf

Find the following lines:

# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)

BLOCK_UDP=&0&
BLOCK_TCP=&0&

Make sure the values are &0& else if you ping your box you will be blocked.

Exit and save portsentry.conf

Do:-

/etc/rc.d/init.d/portsentry stop

route del -n xxx.xxx.xxx.xxx (Your IP address)

/etc/rc.d/init.d/portsentry start

Hope that helps

Steve

 

[Drake]

Please tell... What did you do to get yourself blocked?

...And... what service(s) are you blocked from?

Your IP could usually be being blocked from 2 different places:

/var/portsentry/portsentry.blocked.tcp (and or blocked.udp)

or /etc/hosts.deny

You should first locate those files and see if your IP # is in there.
If so, edit it and take your IP out of there.

Hey.. if you're totally blocked, how are you even gaining telnet or ssh access to the box to even check if you have those files?

If you can get in to shell access, you aren't blocked by your IP.

Another thought: Are you remotely accessing the box from a static IP or from a dial up? Dial ups are usually not static, therefore you get a new IP every time you dial it up.

 

[qbacca]

Problem solved - bug in cpanel?

Ok, here's the deal -

our server has 4 IP addresses, one in the 209.x.x.x block, and 3 from the 66.x.x.x block.

There was something about the default ipaliases script that caused (I don't know exactly what - my network guy figured this out) all traffic from 66.*.*.* to be ignored.

The fix was to SSH in and do

service network restart

This fixes the problem every time. So, every time we reboot the server, cpanel's ipaliases script runs, and kills traffic from 66.*.*.* - we do the service network restart, and I have access again.

Weird bug? Who knows - I'm just glad I have access again.

Marc