How to configure a Firewall for WHM/cPanel to say block port 25 spammers

Description

Using a firewall with WHM/cPanel can be confusing and complicated as WHM doesn’t ship with a firewall by default.

The two mainstream Linux distributions, namely CentOS/Redhat and Ubuntu/Debian, also have differing and possibly competing recommended firewall technologies. What it boils down to you have “read the encyclopedia” to get basic stuff done.

Let it not be mistaken, cPanel doesn’t have fail2ban.

You can start reading that encyclopedia by starting here:

https://docs.cpanel.net/knowledge-base/general-systems-administration/how-to-configure-your-firewall-for-cpanel-services/

There are lots of little tidbits in there, for example, how to backup your existing rules to avoid things going haywire, and how this doesn’t co-exist with that etc.

To be honest, I’m not sure why anyone would give you a web hosting product without a proper firewall. Because of this trouble with WHM it’s an aspect of our business that can never be automated.

Hint: Install CPU monitors on all your WHM servers, because they will be attacked en mass.

Hint 2:

Good luck using ad-hoc rules with IPTables, most of the time the rules don’t work. Even this common one given in their documentation (but see below):

iptables -I INPUT -s 198.51.100.1 -j DROP

Hint 3:

Good luck getting tech support for more complex firewall issues. WHM tech support are well trained to bat you when you try and ask them more complicated questions or if firewall functionality doesn’t work. “We give the customer choice in firewall.” is a standard response to “sorry bro you’re on your own with this security problem.”.

Hint 4:

cPHulk doesn’t actually perform anything useful, e.g. it’s not a TCP/IP firewall. It simply checks HTTP attacks and often simply doesn’t work.

IPTables versus NFTables

Now with all the negativity out of the way, let’s move on a bit and do quick fixing with iptables. Yes, in spite of iptables not working properly in 2019 as above, it’s now working. So you can do this:

iptables -A INPUT -s 1.2.3.4 -j DROP

To reverse, you can do this:

iptables -D INPUT -s 1.2.3.4 -j DROP

But when you read the version 126 manual, you’ll find this gem in the manual:

AlmaLinux, Rocky Linux, and CloudLinux firewall management

Before reading how NFT works, read about NFT fail:

nft fail
# nft add rule filter INPUT ip saddr 202.88.64.59 drop
Error: Could not process rule: No such file or directory
add rule filter INPUT ip saddr 202.88.64.59 drop
^^^^^

What’s going on? Well it appears NFT only starts working when iptables is invoked:

iptables -A INPUT -s 1.2.3.4 -j DROP

Now suddenly nft starts working. Next, you can do the command below and start crying:

nft list ruleset

According to the manual, use the nftables framework instead of the iptables utility or legacy services in those operating systems. You can configure nftables with the nft command line tool. You will find the nftables ruleset for your server in the /etc/sysconfig/nftables.conf file.

For example, to block traffic for a single IPv4 address, run the following command, where 198.51.100.1 is the IPv4 address that you wish to block:

nft add rule filter INPUT ip saddr 198.51.100.1 drop
To do the reverse, it’s a two step process, first to get the handle:
nft -a list chain filter INPUT

Then to delete the rule:

nft delete rule filter INPUT handle 25
Now what about reboots? What will happen?

Ubuntu firewall management

See the manual.

cPanel recommend that servers that run the Ubuntu operating systems use the iptables utility instead of the ufw utility that Ubuntu installs by default. The iptables utility offers more customization settings for your packet-filtering rules.

Wow. Classic. Nightmare.

CSF & iptables & firewalld

The most popular firewall management utility for WHM appears to beCSF.

The firewall installed on your server will typically be either iptables or firewalld.

You cannot use both iptables and firewalld, and thus have to choose one or the other.

To determine if you’re using iptables or firewalld, issue the following commands:

service firewalld status

or

iptables -L

iptables is the original tried and tested technology, whereas firewalld seems to be somewhat simpler to understand.

Our recommendation is to install CSF on your WHM server to manage the firewall.

Here are instructions to install CSF taken from the cPanel documentation:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf && ./install.sh

Important note for CentOS 7, CloudLinux 7, and RHEL 7 users

The cPanel documentation has the following note:

Important:

We recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.

Note the ambiguity with the word 'firewall' above making it very unclear as it could be referencing firewalld as well.

In our experience CSF will use iptables if it’s available on a CentOS 7 installation.

Please a comment below or contact us should you require assistance with your WHM and firewall setup.

Block Port 25 Spammers

Step 1:

netstat -plan| grep :25 |awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -n | tail -30

Pick the last one that might have 20 connections

Step 2:

Use iptables to do the first block

Step 3:

Use nft to obtain the list of blocks.

Delete Frozen Messages

At this during queue rescue, you might want to delete all frozen messages since they’re going nowhere anyway.

exim -bp | grep frozen | awk '{print $3}' | xargs exim -Mrm

References

How to Configure Your Firewall for cPanel Services
https://en.wikipedia.org/wiki/Iptables
https://www.unixmen.com/iptables-vs-firewalld/
https://forums.cpanel.net/threads/how-to-enable-firewall-in-whm.120205/
https://www.liquidweb.com/kb/how-to-manage-the-csf-firewall-in-whmcpanel/
https://computingforgeeks.com/configure-cpanel-firewalld-on-centos-7/
https://forums.cpanel.net/threads/firewalld-setup-questions.603739/

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *