How to manage and secure the CSF firewall

The ConfigServer Security and Firewall (CSF) within WebHost Manager (WHM) offers several different ways to block and unblock access to a site, including:

• Whitelisting IP addresses.
• Blocking and unblocking IP addresses.
• Opening and closing ports.

Whether you need to unblock a client’s IP address after it has been blocked, or close a port to prevent malicious activity, the CSF is a powerful tool for helping secure your site. 

You must have root access to configure the firewall.Table of Contents

• Unblocking an IP address
• Granting access to an IP address
  • Whitelisting an IP address
  • Using Quick Ignore
• Checking cPHulk
• Opening and closing ports
• More Information

Unblocking an IP address

To determine whether an IP address has been blocked (and to unblock it), follow these steps:

1. Log in to WebHost Manager.If you do not know how to log in to your WebHost Manager account, please see this article.
2. In the search box at the upper left of the WHM screen, start typing configserver, and then click ConfigServer Security & Firewall when it becomes visible:
3. Under csf – ConfigServer Firewall, in the Search iptables for IP address text box, type the IP address to search for, and then click Search for IP.
4. If the IP address is blocked, it appears in the search results, along with the reason. To unblock the IP address, click the padlock icon to the right of the IP address.

Granting access to an IP address

There are two parts to the CSF firewall: the firewall itself and the Login Failure Daemon (LFD). Whitelisting an IP address grants the address access in the csf.allow firewall, and adding an IP address to the Quick Ignore list prevents an IP address from being blocked by the LFD. (If an IP address is still blocked after whitelisting, you must add it to the Quick Ignore list.)

Even if you whitelist an IP address using the method listed below, the LFD can still block it for suspicious behavior such as repeat violations of ModSecurity rules or multiple failed logins. This is done to minimize the risk of brute-force attacks that could occur if a computer or device on the same network as a whitelisted IP address becomes compromised or infected with malware.

Whitelisting an IP address

To whitelist an IP address in the csf.allow firewall, follow these steps:

1. Log in to WebHost Manager.If you do not know how to log in to your WebHost Manager account, please see this article.
2. In the search box at the upper left of the WHM screen, start typing configserver, and then click ConfigServer Security & Firewall when it becomes visible:
3. Under csf – Quick Actions, locate the Quick Allow section.
4. In the Allow IP address text box, type the IP address. There is an optional text box below where you can type a comment for why the IP address was whitelisted:
   
5. Click Quick Allow.
   You should only grant IP addresses should only be granted access as necessary. The best security practice is to resolve the issue which led to the IP address being blocked in the first place.

Using Quick Ignore

A temporary measure that you can take while trying to resolve the underlying issue is to add a problematic IP address to the ignore list. Adding an IP address to the Quick Ignore list prevents LDF from blocking the address. To add an IP address to the ignore list, follow these steps:

1. Log in to WebHost Manager.If you do not know how to log in to your WebHost Manager account, please see this article.
2. In the search box at the upper left of the WHM screen, start typing configserver, and then click ConfigServer Security & Firewall when it becomes visible:
3. Under csf – Quick Actions, locate the Quick Ignore section.
4. In the Ignore IP address text box, type the IP address:
   
5. Click Quick Ignore.

Checking cPHulk

As with LFD, the WebHost Manager cPHulk Brute Force Protection module can block IP addresses exhibiting suspicious behavior. This happens independently of the firewall, so it is a good idea to check cPHulk if you have whitelisted or unblocked an IP address and it still cannot gain access.

To check cPHulk, follow these steps:

1. Log in to WebHost Manager.If you do not know how to log in to your WebHost Manager account, please see this article.
2. In the search box at the upper left of the WHM screen, start typing cphulk, and then click cPHulk Brute Force Protection when it becomes visible:
3. Click the History Reports tab. This area allows you to search for blocked IP addresses, blocked users, one-day blocks, or failed logins.
4. To remove a block, select the blocked entry and then click Remove Blocks and Clear Reports.
   

Opening and closing ports

You might need to open or close a port for various reasons. For example:

• Opening a port to allow e-mail to be delivered.
• Closing a port that is exhibiting malicious activity.

To open or close ports in the firewall, follow these steps:

1. Log in to WebHost Manager.If you do not know how to log in to your WebHost Manager account, please see this article.
2. In the search box at the upper left of the WHM screen, start typing configserver, and then click ConfigServer Security & Firewall when it becomes visible:
3. Under csf – ConfigServer Firewall, click Firewall Configuration:
   
4. Scroll down to the IPv4 Port Settings section. In this section are the following options:
   • Allow incoming TCP ports (TCP_IN): Use this option to allow incoming connections to the specified TCP ports.
   • Allow outgoing TCP ports (TCP_OUT): Use this option to allow outgoing connections to the specified TCP ports.
   • Allow incoming UDP ports (UDP_IN): Use this option to allow incoming connections to the specified UDP ports.
   • Allow outgoing UDP ports (UDP_OUT): Use this option to allow outgoing connections to the specified UDP ports.
5. After making the changes, scroll down to the bottom of the page, and click Change.
6. Click Restart csf+lfd to restart the firewall.

More Information

For more information about CSF, please visit https://configserver.com/cp/csf.html.

Read now – cPanel error message: “Your IP address has changed”