How to Manage the CSF Firewall in WHM/cPanel

Posted on by dpepper
Reading Time: 5 minutes

Should you discover (or suspect) that a client or customer’s IP address has been blocked in the firewall, or you just need to open (or close) a port on your cPanel server, you may be able to quickly resolve the issue yourself if you have access to WebHost Manager and the ConfigServer Firewall (CSF).

If your server is using CSF, you will find its interface listed in WHM as ConfigServer Security&Firewall under the Plugins section in the left menu. You also can begin typing “firewall” into the search box at the top left to narrow down the choices.

Note: Should you find no such listing in WHM, feel free to request an upgrade from the APF firewall when contacting support. There is no charge, it typically takes only a few minutes and the only service that needs to be restarted as a result is the firewall itself. Our support technicians also can port your existing APF rules to CSF. If requesting an upgrade, please be sure to indicate whether your server uses the Guardian backup service so that its rules also can be configured.

Unblocking an IP Address in CSF

To determine whether an IP address is blocked, you can use the Search for IP button on the ConfigServer Security&Firewall page. Simply enter the IP address into the search field and click the button.

csfsearchforip

If the IP address is blocked, the reason for the block will be listed and an unlocked padlock icon will appear to the right of the blocked IP address. Clicking the padlock icon will unblock the IP in the firewall.

csfunblock

 

Allowing (Whitelisting) an IP Address

It is important to note that there are two components to the csf firewall, the firewall itself and the Login Failure Daemon (lfd).

To whitelist an IP address in the firewall (csf.allow), you can enter the IP address into the Quick Allow section, along with an optional comment for the allow (such as “Office network”), and click the Quick Allow button.

csfallow

When an IP address is whitelisted in CSF, it still can become blocked by lfd for abusive behavior such as multiple failed logins or repeated violation of certain modsecurity rules. This helps to mitigate the sort of brute-force attacks that could occur should a computer or device on the same network as a whitelisted IP address become compromised or infected with malware.

It is recommended to whitelist IPs only as necessary and, for a long-term solution, focus on resolving the issue which led to the block (such as incorrect login credentials). However, as a temporary measure while troubleshooting or otherwise working to correct the underlying issue, you can prevent an IP address from being blocked by lfd by adding it to the ignore list (csf.ignore).

That can be done using the Quick Ignore button on the ConfigServer Security&Firewall page.

csfquickignore

Blocked IP? Don’t Forget to Check cPHulk

WebHost Manager also includes the cPHulk Brute Force Protection module which, like the Login Failure Daemon component of the ConfigServer firewall, can block IP addresses (independently of the firewall) when they have repeated failed login attempts.

If you’re trying to unblock an IP address but no block is to be found in the firewall, you will want to check cPHulk as well. In WHM, you’ll find cPHulk Brute Force Protection listed under the Security Center section of the left menu.

On cPHulk’s History Reports tab, you can search for failed logins, blocked users, blocked IP addresses, or one-day blocks.

Removing a block is as easy as clicking the Remove Blocks and Clear Reports button.

cphulkclearblocksYou also can whitelist IP addresses, with an optional comment, under the Whitelist Management tab.

Please be aware that whitelisting an IP address here means that the IP address always will be able to attempt to log into the server. That could potentially present a security risk in the event that a computer or device on the same local network as the whitelisted IP becomes compromised or infected and uses brute force to try to gain protected access. For this reason, IP address whitelisting in cPHulk should be used sparingly and with caution.

Opening and Closing Ports in the Firewall

port1On the ConfigServer Security & Firewall page in WebHost Manager, click on the Firewall Configuration button to enter advanced settings.

On the Firewall Configuration screen, scroll down to the IPv4 Port Settings section, and locate the Allow incoming TCP ports and Allow outgoing TCP ports sections.

ports2

You will need to add the necessary port to the appropriate list (or remove a listed port to block it), then scroll all the way to the bottom of the page and click the Change button to save your settings and restart the firewall.

Port Still Unreachable? Check Your Storm® Firewall

If you have a Storm® server, you have access to an additional firewall which can be accessed via your Manage interface by clicking on your server’s dashboard.

You’ll find your Storm® Firewall settings under the Network section, on the Firewall tab. If you’ve enabled it with advanced settings, you will want to ensure you’ve opened the port there as well.

stormfw

To open a port when using the Advanced Firewall Configuration, click the Add Rule link, give it a Label and set the Destination Port, Protocol, and Action, then click the green button.

Repeat for any additional ports you’re opening (or closing) and then click the Apply Firewall Settings button to apply the settings and restart the firewall.

Find Detailed Information in Our Knowledge Base

 

Avatar for dpepper

About the Author: dpepper

Latest Articles

Blocking IP or whitelisting IP addresses with UFW

Read Article

CentOS Linux 7 end of life migrations

Read Article

Use ChatGPT to diagnose and resolve server issues

Read Article

What is SDDC VMware?

Read Article

Best authentication practices for email senders

Read Article