Contact Info
Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA
support@dedirock.com
Client Area
CSF Firewall Rules: What Every Hosting Provider Should Know
ConfigServer Security & Firewall (CSF) is a popular and feature-rich firewall solution for cPanel servers. It adds an extra layer of security by integrating seamlessly with iptables, providing robust features like brute-force protection, IP whitelisting/blacklisting, and detailed logging.
In this guide, we’ll walk you through configuring CSF on a cPanel server, along with key firewall rules that every hosting provider should know to enhance server security and performance.
Step-by-Step Guide to Configuring CSF on a cPanel Server
Follow these steps to install and configure CSF on your cPanel server:
Step 1: Install CSF
Before starting, ensure that your server meets the requirements for CSF installation.
- Log in to your server via SSH as the root user.
- Run the following commands to download and install CSF:
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Step 2: Verify CSF Installation
After installation, verify that CSF is working correctly:
- Run the following command to check the status:
csf -v
Step 3: Disable Testing Mode
CSF starts in testing mode by default to prevent accidental lockouts. Disable it to activate CSF:
- Edit the CSF configuration file:
nano /etc/csf/csf.conf
TESTING = "1" and change it to:
TESTING = "0"
csf -r
Step 4: Configure Basic Firewall Rules
CSF provides default rules that work for most cPanel servers. However, you may need to customize them based on your hosting environment.
- Edit the CSF configuration file:
nano /etc/csf/csf.conf
- TCP_IN: Open ports required for incoming connections (e.g., HTTP, HTTPS, SSH).
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443"
ICMP_IN = "1"
csf -r
Step 5: Configure IP Whitelisting and Blacklisting
To prevent unauthorized access or block malicious traffic, use CSF’s whitelist and blacklist features:
- Whitelist a trusted IP address:
csf -a
csf -d
csf -g
Step 6: Enable Login Failure Detection (LFD)
LFD is an integral part of CSF that detects brute-force attacks and automatically blocks offending IPs.
- Edit the LFD configuration file:
nano /etc/csf/csf.conf
- LF_TRIGGER: Number of login failures before blocking an IP.
LF_TRIGGER = "5"
LF_BLOCK = "1"
csf -r
service lfd restart
Essential CSF Firewall Rules Every Hosting Provider Should Know
To ensure optimal server security, implement these key rules:
1. Set Default Deny Policies
Deny all incoming and outgoing traffic by default, then explicitly allow only the necessary ports and IPs.
DEFAULT_INPUT_POLICY = "DROP"
DEFAULT_OUTPUT_POLICY = "DROP"
2. Rate-Limit Connections
Prevent DDoS attacks by limiting the number of connections from a single IP address.
CONNLIMIT = "80;20,443;20"
This limits HTTP and HTTPS connections to 20 per IP.
3. Enable Port-Specific Alerts
Receive email notifications when specific ports are accessed:
PORTFLOOD = "22;tcp;5;300"
This triggers an alert if SSH is accessed more than 5 times within 300 seconds.
4. Protect Against SYN Floods
SYN floods are a common form of DDoS attack. Enable protection in the CSF configuration:
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"
5. Log and Monitor Traffic
Keep track of all traffic for auditing purposes. Enable detailed logging in CSF:
LOGGING = "1"
Conclusion
CSF Firewall is a powerful tool for securing cPanel servers, offering features like IP whitelisting, rate limiting, and login failure detection. By following this step-by-step guide and implementing essential rules, hosting providers can enhance their server security and protect against a wide range of threats.
Take the time to customize CSF for your specific needs, regularly review logs, and test your configurations to ensure optimal performance. A properly configured CSF setup is your first line of defense against malicious traffic and unauthorized access.