ConfigServer Firewall is installed by default on our cPanel managed servers. CSF is a free and advanced software firewall with several deep configuration options. You can find these options by logging into WHM and searching for “ConfigServer Firewall”.
Scroll down to find the “csf – ConfigServer Firewall” section and click on the “Firewall Configuration” button.
There are hundreds of different settings, many of them having very limited uses which should be left as the defaults. In this guide, we will go over the most important settings that you may wish to utilize. For other settings, there are descriptions above each in the GUI. If you are confused by any, feel free to submit a support ticket. We will help you understand what the settings do and if you should worry about changing them.
By default, CSF leaves open several different ports which you may not require. The more ports you have open on your server, the more avenues of attack hackers have. Wikipedia maintains a list of ports and what they are used for. You can go through these and see if the port number is utilized by a service you are using. If not, you can remove it from the list.
For general reference, these are the ports you will need open for several commonly used services:
TCP_IN and TCP6_IN
All servers: 22,53
TCP_OUT and TCP6_OUT
All servers: 22,53,80,113,443
UPD_IN and UPD6_IN
All servers: 53
UPD_OUT and UPD6_OUT
All servers: 53, 113, 123
Denial of Service and Flood Attacks
Several settings can help mitigate and block DOS attacks against your server.
SYNFLOOD turns on protection against SYNFLOOD attacks, while SYNFLOOD_RATE and SYNFLOOD_BURST adjusts the amount of blocking that occurs. This should only be used while you are under attack, as it will slow down legitimate traffic to your server.
UDPFLOOD, UDPFLOOD_LIMIT, and UDPFLOOD_BURST is the same as above, except it prevents outbound packets from being sent. This usually occurs when your server has been compromised and a malicious script has been uploaded. It essentially helps prevent your server from being used to attack others.
CONNLIMIT limits the number of concurrent connections to specific ports. You input values by listing the port, then the maximum number of connections. Put a ; in between each number. So if you wanted to limit port 20 to 10 connections and port 25 to 100 connections, you would enter 20;10;25;100.
PORTFLOOD limits the number of connections that can be made to a specific port over time from a single IP address. For example, if you wanted to limit TCP connections on port 20 to 10 per ever 120 seconds, you would enter 20;tcp;10;120. The block would be removed 120 seconds after the final packet from the final connection is sent. You add additional ports by separating them with commas, for instance 20;tcp;10;120,21;upd;5;120.
ICPM_IN and ICPM_IN_LIMIT restrict pings on your server. ICPM_IN can be set to 0 to disallow them completely, while ICPM_IN_LIMIT can be set to the maximum number of pings from one IP address per second. You can generally leave the limit at default, 1/s, but you may increase it if you need. You may have ping timeouts if you ping your server on the default setting, so increasing it or turning it off (by setting it to 0) may be preferred.
IP Address Restriction
CSF will block IPs automatically when it detects they are attempting to attack your server. It adds them to the /etc/csf/csf.deny file. If this file gets too large, it can cause slowdowns on your server. You can set a hard limit for the number of IP addresses it stores by setting the DENY_IP_LIMIT; it defaults to 200, but you can increase it safely unless you detect server performance issues.
DENY_TEMP_IP_LIMITS does the same for temporary IP blocks. It defaults to 100; you can lower or raise this if you like, but 100 is usually sufficient unless you come under heavy attack.
To add specific IP addresses to your block list, you can go back to the main menu and find the “Firewall Allow IPs” or “Firewall Block IPs” options. You can add IPs to either of those lists. If you wish to temporarily block an IP, you can find the “Temporary Allow/Deny” area and enter the IP address you wish to temporarily allow or deny to a certain port for any number of time.
If you want to receive e-mail alerts whenever something suspicious happens or CSF encounters problems, you will put your e-mail address in the LF_ALERT_TO field.
SYSLOG_CHECK monitors “syslog”, which must be running properly for many of the login failure daemon processes to work. Set this between 60 and 3600; higher numbers means it is checked less often, but also uses up fewer resources.
Detect Suspicious Processes
Setting PT_DELETED and PT_ALL_USERS to 1 will help check to see if there are any suspicious processes running on your server. Turning these on will cause it to send a report to you whenever a suspicious process is noticed; you will be required to check yourself and remove anything which is unauthorized. You can always contact our MST when you receive an alert from here.
Setting SMTP_BLOCK to 1 will prevent unauthorized users from using your server to send emails. You can also set LF_SCRIPT_LIMIT to send an alert whenever someone uses a script to send more than a certain number of emails all at once. This can help prevent someone from using your server to spam others. If you set LF_SCRIPT_ALERT to 1, you will receive an e-mail whenever the above-set limit is reached.
After you make your settings, you will need to save your changes by clicking on the “Change” button at the bottom of the page.
You will then need to restart the services to put the changes into effect. Do so by clicking “restart csf+lfd” on the next page.
Remember that if you have any additional questions about a setting in CSF, you can feel free to file a support ticket with our MST asking for further advice.