How to configure a Firewall for WHM/cPanel

Description

Using a firewall with WHM/cPanel can be confusing and complicated as WHM doesn’t ship with a firewall by default.

The two mainstream Linux distributions, namely CentOS/Redhat and Ubuntu/Debian, also have differing recommended firewall technologies. What it boils down to you have “read the encyclopedia” to get basic stuff done. You can start reading that encyclopedia by starting here:

https://docs.cpanel.net/knowledge-base/general-systems-administration/how-to-configure-your-firewall-for-cpanel-services/

There are lots of little tidbits in there, for example, how to backup your existing rules to avoid things going haywire, and how this doesn’t co-exist with that etc.

To be honest, I’m not sure why anyone would give you a web hosting product without a proper firewall. Because of this trouble with WHM it’s an aspect of our business that can never be automated.

Hint: Install CPU monitors on all your WHM servers, because they will be attacked en mass.

Hint 2:

Good luck using ad-hoc rules with IPTables, most of the time the rules don’t work. Even this common one given in their documentation:

iptables -I INPUT -s 198.51.100.1 -j DROP

Hint 3:

Good luck getting tech support for more complex firewall issues. WHM tech support are well trained to bat you when you try and ask them more complicated questions or if firewall functionality doesn’t work. “We give the customer choice in firewall.” is a standard response to “sorry bro you’re on your own with this security problem.”.

Hint 4:

cPHulk doesn’t actually perform anything useful, e.g. it’s not a TCP/IP firewall. It simply checks HTTP attacks and often simply doesn’t work.

CSF & iptables & firewalld

The most popular firewall management utility for WHM appears to beCSF.

The firewall installed on your server will typically be either iptables or firewalld.

You cannot use both iptables and firewalld, and thus have to choose one or the other.

To determine if you’re using iptables or firewalld, issue the following commands:

service firewalld status

or

iptables -L

iptables is the original tried and tested technology, whereas firewalld seems to be somewhat simpler to understand.

Our recommendation is to install CSF on your WHM server to manage the firewall.

Here are instructions to install CSF taken from the cPanel documentation:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf && ./install.sh

Important note for CentOS 7, CloudLinux 7, and RHEL 7 users

The cPanel documentation has the following note:

Important:

We recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.

Note the ambiguity with the word 'firewall' above making it very unclear as it could be referencing firewalld as well.

In our experience CSF will use iptables if it’s available on a CentOS 7 installation.

Please a comment below or contact us should you require assistance with your WHM and firewall setup.

References

How to Configure Your Firewall for cPanel Services
https://en.wikipedia.org/wiki/Iptables
https://www.unixmen.com/iptables-vs-firewalld/
https://forums.cpanel.net/threads/how-to-enable-firewall-in-whm.120205/
https://www.liquidweb.com/kb/how-to-manage-the-csf-firewall-in-whmcpanel/
https://computingforgeeks.com/configure-cpanel-firewalld-on-centos-7/
https://forums.cpanel.net/threads/firewalld-setup-questions.603739/

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top