How to Manage the CSF Firewall in WHM/cPanel

Should you discover (or suspect) that a client or customer’s IP address has been blocked in the firewall, or you just need to open (or close) a port on your cPanel server, you may be able to quickly resolve the issue yourself if you have access to WebHost Manager and the ConfigServer Firewall (CSF).

If your server is using CSF, you will find its interface listed in WHM as ConfigServer Security&Firewall under the Plugins section in the left menu. You also can begin typing “firewall” into the search box at the top left to narrow down the choices.

Unblocking an IP Address in CSF

To determine whether an IP address is blocked, you can use the Search for IP button on the ConfigServer Security&Firewall page. Simply enter the IP address into the search field and click the button.

If the IP address is blocked, the reason for the block will be listed and an unlocked padlock icon will appear to the right of the blocked IP address. Clicking the padlock icon will unblock the IP in the firewall.

Allowing (Whitelisting) an IP Address

It is important to note that there are two components to the csf firewall, the firewall itself and the Login Failure Daemon (lfd).

To whitelist an IP address in the firewall (csf.allow), you can enter the IP address into the Quick Allow section, along with an optional comment for the allow (such as “Office network”), and click the Quick Allow button.

When an IP address is whitelisted in CSF, it still can become blocked by lfd for abusive behavior such as multiple failed logins or repeated violation of certain modsecurity rules. This helps to mitigate the sort of brute-force attacks that could occur should a computer or device on the same network as a whitelisted IP address become compromised or infected with malware.

It is recommended to whitelist IPs only as necessary and, for a long-term solution, focus on resolving the issue which led to the block (such as incorrect login credentials). However, as a temporary measure while troubleshooting or otherwise working to correct the underlying issue, you can prevent an IP address from being blocked by lfd by adding it to the ignore list (csf.ignore).

That can be done using the Quick Ignore button on the ConfigServer Security&Firewall page.

Blocked IP? Don’t Forget to Check cPHulk

WebHost Manager also includes the cPHulk Brute Force Protection module which, like the Login Failure Daemon component of the ConfigServer firewall, can block IP addresses (independently of the firewall) when they have repeated failed login attempts.

If you’re trying to unblock an IP address but no block is to be found in the firewall, you will want to check cPHulk as well. In WHM, you’ll find cPHulk Brute Force Protection listed under the Security Center section of the left menu.

On cPHulk’s History Reports tab, you can search for failed logins, blocked users, blocked IP addresses, or one-day blocks.

Removing a block is as easy as clicking the Remove Blocks and Clear Reports button.

You also can whitelist IP addresses, with an optional comment, under the Whitelist Management tab.

Please be aware that whitelisting an IP address here means that the IP address always will be able to attempt to log into the server. That could potentially present a security risk in the event that a computer or device on the same local network as the whitelisted IP becomes compromised or infected and uses brute force to try to gain protected access. For this reason, IP address whitelisting in cPHulk should be used sparingly and with caution.

Opening and Closing Ports in the Firewall

On the ConfigServer Security & Firewall page in WebHost Manager, click on the Firewall Configuration button to enter advanced settings.

On the Firewall Configuration screen, scroll down to the IPv4 Port Settings section, and locate the Allow incoming TCP ports and Allow outgoing TCP ports sections.

You will need to add the necessary port to the appropriate list (or remove a listed port to block it), then scroll all the way to the bottom of the page and click the Change button to save your settings and restart the firewall.

Port Still Unreachable? Check Your Storm® Firewall

If you have a Storm® server, you have access to an additional firewall which can be accessed via your Manage interface by clicking on your server’s dashboard.

You’ll find your Storm® Firewall settings under the Network section, on the Firewall tab. If you’ve enabled it with advanced settings, you will want to ensure you’ve opened the port there as well.

To open a port when using the Advanced Firewall Configuration, click the Add Rule link, give it a Label and set the Destination Port, Protocol, and Action, then click the green button.

Repeat for any additional ports you’re opening (or closing) and then click the Apply Firewall Settings button to apply the settings and restart the firewall.

Find Detailed Information in Our Knowledge Base

• Learn how to manage IP address blocks from the command line via SSH:
  • How to Unblock an IP Address in CSF
  • How to Unblock an IP Address in APF
• For general information on APF, see APF Firewall.
• And to learn how to open (and close) ports in either firewall, check out Opening Ports in Your Firewall.
• To learn more about the Storm® Firewall, visit How to Configure a Storm® Firewall.