Note: At least one of ConfigServer’s servers is in Germany; blocking that country could prevent CSF from being able to update and display an error on the ConfigServer Security&Firewall page in WHM.
Pre-Flight Check
- This series assumes you have the ConfigServer Firewall (CSF) installed on your cPanel server, and you have access to WebHost Manager (WHM).
- If your managed cPanel server currently uses APF but you’d prefer CSF, contact Heroic Support® and request a switch. There is no charge, it typically takes only a few minutes, and the only service that needs to be restarted as a result is the firewall itself. Our support technicians also can port your existing APF rules to CSF. If requesting an upgrade, please be sure to indicate whether your server uses the Guardian backup service so that its rules also can be configured.
Blocking Access to Specific Ports by Country
Restricting access by port to IP addresses originating in a specific country or countries can be an effective way to help minimize the negative performance impact that country-level blocking can bring. That’s because the smaller the CIDR (Classless Inter-Domain Routing) range against which each IP making an incoming request is checked, and the fewer requests on that port (SSH on port 22 and FTP on port 21 are likely to see far less traffic than the website itself on port 80), the fewer the resources the firewall checks should require. In this case, only incoming traffic on the specified port or ports will checked against the CIDR range(s) for the blocked country code(s). If you wish to deny access to several countries or wish to allow access to a port for only a single country, a better option may be to instead allow access only to that country. Feel free to skip ahead to Allow access to specific ports by country below to learn how to do that. In this example, we’re blocking access to the standard FTP port, 21, to IP addresses originating in Belgium.Step #1: Specify the Country or Countries to be Denied
- Scroll down to the Country Code Lists and Settings section and add the country code to CC_DENY_PORTS. Multiple countries can be comma separated with no spaces in between, and you can find a list of ISO 3166-1 alpha-2 codes at Wikipedia.
- List the port that will be blocked in the specified country in the CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP fields.

Step #2: Save Your Changes and Restart the Firewall
- Scroll to the bottom of the Firewall Configuration page and click on the Change button.
- On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.
Allowing Access to Specific Ports by Country
Just as you can deny incoming traffic by port to a specific country or countries, you also can choose to allowing incoming traffic by port to only a specific country or countries. Generally, this should be a better option than attempting to deny port access to a long list of countries because the firewall be working with a smaller CIDR range against which each incoming request must be checked. To limit the ability to connect on a specific port or ports to visitors with IP addresses originating in a specific country or countries, you must:- close the ports in the firewall
- define the country code allowed to connect on those blocked ports
- specify the blocked ports to be opened for the specified country
Step #1: Close the Ports in the Firewall
On the Firewall Configuration page, scroll down to the IPv4 Port Settings section, and remove the desired port number from the TCP_IN and UDP_IN (if present) fields. Here, we’ve removed port 21 from the allowed incoming IPV4 ports, effectively blocking external access to the port:
Step #2: Specify the Country or Countries to be Allowed
Scroll down to the Country Code Lists and Settings section and add the country code to CC_ALLOW_PORTS. Here we’ve specified that traffic originating from Germany is allowed to connect on ports which have been otherwise closed in the firewall (we’ll define the specific ports for this allow in the next step):
Step #3: Specify the Closed Ports to be Allowed to the Designated Country
Just below the CC_ALLOW_PORTS field, you’ll see CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP. We’ll add the port to open to the country (or countries) specified in CC_ALLOW_PORTS here, in this case, port 21:
Step #4: Save Your Changes and Restart the Firewall
- Scroll to the bottom of the Firewall Configuration page and click on the Change button.
- On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.