Table of Contents
Description
Using a firewall with WHM/cPanel can be confusing and complicated as WHM doesn’t ship with a firewall by default.
The two mainstream Linux distributions, namely CentOS/Redhat and Ubuntu/Debian, also have differing and possibly competing recommended firewall technologies. What it boils down to you have “read the encyclopedia” to get basic stuff done.
Let it not be mistaken, cPanel doesn’t have fail2ban.
You can start reading that encyclopedia by starting here:
There are lots of little tidbits in there, for example, how to backup your existing rules to avoid things going haywire, and how this doesn’t co-exist with that etc.
To be honest, I’m not sure why anyone would give you a web hosting product without a proper firewall. Because of this trouble with WHM it’s an aspect of our business that can never be automated.
Hint: Install CPU monitors on all your WHM servers, because they will be attacked en mass.
Hint 2:
Good luck using ad-hoc rules with IPTables, most of the time the rules don’t work. Even this common one given in their documentation (but see below):
iptables -I INPUT -s 198.51.100.1 -j DROP
Hint 3:
Good luck getting tech support for more complex firewall issues. WHM tech support are well trained to bat you when you try and ask them more complicated questions or if firewall functionality doesn’t work. “We give the customer choice in firewall.” is a standard response to “sorry bro you’re on your own with this security problem.”.
Hint 4:
cPHulk doesn’t actually perform anything useful, e.g. it’s not a TCP/IP firewall. It simply checks HTTP attacks and often simply doesn’t work.
IPTables versus NFTables
Now with all the negativity out of the way, let’s move on a bit and do quick fixing with iptables. Yes, in spite of iptables not working properly in 2019 as above, it’s now working. So you can do this:
iptables -A INPUT -s 1.2.3.4 -j DROP
To reverse, you can do this:
iptables -D INPUT -s 1.2.3.4 -j DROP
But when you read the version 126 manual, you’ll find this gem in the manual:
AlmaLinux, Rocky Linux, and CloudLinux firewall management
Before reading how NFT works, read about NFT fail:
nft fail
# nft add rule filter INPUT ip saddr 202.88.64.59 drop Error: Could not process rule: No such file or directory add rule filter INPUT ip saddr 202.88.64.59 drop ^^^^^
What’s going on? Well it appears NFT only starts working when iptables is invoked:
iptables -A INPUT -s 1.2.3.4 -j DROP
Now suddenly nft starts working. Next, you can do the command below and start crying:
nft list ruleset
According to the manual, use the nftables framework instead of the iptables utility or legacy services in those operating systems. You can configure nftables with the nft command line tool. You will find the nftables ruleset for your server in the /etc/sysconfig/nftables.conf file.
For example, to block traffic for a single IPv4 address, run the following command, where 198.51.100.1 is the IPv4 address that you wish to block:
nft add rule filter INPUT ip saddr 198.51.100.1 drop
nft -a list chain filter INPUT
Then to delete the rule:
nft delete rule filter INPUT handle 25
Ubuntu firewall management
See the manual.
cPanel recommend that servers that run the Ubuntu operating systems use the iptables utility instead of the ufw utility that Ubuntu installs by default. The iptables utility offers more customization settings for your packet-filtering rules.
CSF & iptables & firewalld
The most popular firewall management utility for WHM appears to beCSF.
The firewall installed on your server will typically be either iptables or firewalld.
You cannot use both iptables and firewalld, and thus have to choose one or the other.
To determine if you’re using iptables or firewalld, issue the following commands:
service firewalld status
or
iptables -L
iptables is the original tried and tested technology, whereas firewalld seems to be somewhat simpler to understand.
Our recommendation is to install CSF on your WHM server to manage the firewall.
Here are instructions to install CSF taken from the cPanel documentation:
cd /usr/src rm -fv csf.tgz wget https://download.configserver.com/csf.tgz tar -xzf csf.tgz cd csf && ./install.sh
Important note for CentOS 7, CloudLinux 7, and RHEL 7 users
The cPanel documentation has the following note:
Important:
We recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.
Note the ambiguity with the word 'firewall' above making it very unclear as it could be referencing firewalld as well.
In our experience CSF will use iptables if it’s available on a CentOS 7 installation.
Please a comment below or contact us should you require assistance with your WHM and firewall setup.
Block Port 25 Spammers
Step 1:
netstat -plan| grep :25 |awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n | tail -30
Pick the last one that might have 20 connections
Step 2:
Use iptables to do the first block
Step 3:
Use nft to obtain the list of blocks.
Delete Frozen Messages
At this during queue rescue, you might want to delete all frozen messages since they’re going nowhere anyway.
exim -bp | grep frozen | awk '{print $3}' | xargs exim -Mrm
References
How to Configure Your Firewall for cPanel Services
https://en.wikipedia.org/wiki/Iptables
https://www.unixmen.com/iptables-vs-firewalld/
https://forums.cpanel.net/threads/how-to-enable-firewall-in-whm.120205/
https://www.liquidweb.com/kb/how-to-manage-the-csf-firewall-in-whmcpanel/
https://computingforgeeks.com/configure-cpanel-firewalld-on-centos-7/
https://forums.cpanel.net/threads/firewalld-setup-questions.603739/