How do I use WHM Firewall?


Unblocking IP's, Whitelisting and Blacklisting IP's, Blocking Countries and Ports

NOTE: This tutorial is only for VPS products. To maintain server security, clients using Web Hosting, Performance Hosting and Reseller Hosting plans do not have access to the CSF firewall.

IP addresses blocked on these services can still be unblocked by logging into from the blocked IP.

Editing the firewall is an advanced function. Unblocking IP's is generally fine to do, but for other functions, if you're the slightest bit unsure please feel free to contact our support team.

How to access the WHM Firewall
To access the firewall log into WHM, type firewall in the search bar and click on ConfigServer Security & Firewall

Unblock IP addresses

: If your IP is blocked, note down your IP (you can find it using then tether your phone's internet connection to your computer (your ISP should be able to assist with doing this). You'll now have an unblocked IP address that you can use to log into your server and unblock your main IP.

Step 1 - Find the Search for IP section, input the blocked IP address and hit Enter or click on the Search for IP button

Step 2 - If the IP is blocked you'll see this screen. Take note of the reason for the block. Click the green Unblock button to unblock the IP

Step 3 - Once the IP is blocked you will see this screen

: This doesn't stop the IP from being blocked again. To find the exact reason for the block you will need to SSH into the server as root and run the corresponding commands:

Failed IMAP/POP login: zgrep /var/log/maillog* | grep fail

Failed SMTP login: zgrep /var/log/exim_mainlog* | grep fail

Failed cPanel login: zgrep /usr/local/cpanel/logs/access_log* | grep fail

Failed FTP login: zgrep /var/log/messages* | grep fail

Failed SSH login: zgrep /var/log/messages* | grep fail

If you're uncomfortable doing this, feel free to submit a support ticket through,copy/paste the last line from Step 2 (starting with csf.deny) into the ticket and request we find the cause of the block

Whitelist or Blacklist IP addresses

: You should only ever whitelist an IP address if you have confirmed with your ISP that the IP is static and won't ever be given to any device other than your home/office router. Even then, someone accessing your local network unauthorised or a visitor/employee with access to your network will have unrestricted access to hack your server while connected to the network. If you're experiencing constant IP blocks due to failed passwords, we recommend setting a temporary IP whitelist for a few hours. Unless you have very specific technical requirements, there's never a good reason to permanently whitelist an IP.

To temporarily whitelist/blacklist an IP look for the Temporary Allow/Deny option, select either allow or deny, input the IP address, select the ports (you can use * for all ports, type one port or multiple separated by commas, for example, 25,465,587), select the length you want and either press Enter or hit the Temporary Allow/Deny button.

To whitelist an IP address Permanently on your server you will need to first input it in the Quick Allow section and hit Enter or the Quick Allow button. Once that's done do the same in the Quick Ignore section.

To blacklist an IP address add the IP in the Quick Deny section then either click Enter or the Quick Deny button

Remove a Whitelisted IP
First, click the Firewall Allow IPs button. To remove a backlist click the Firewall Deny IP's button.

You will see a screen similar to the one bellow. Delete the whole line where the IP is listed and Change down the bottom.
Remove the IP from this list and click Change.


Next, click Edit next to the csf.ignore menu 4dd4f0b42bbaf1f16475b6896b47ebb41ae3bddb?t=b6d6ac01282e55dbad9484416adadd7e

Find the line containing the IP you want to remove, add a # to it and click Change


Block Ports
If your server is not used for email, if SSH access isn't used or if you only want secure SSL connections used for email, you can block specific ports on your server by removing them from the default whitelist.

First, click on the Firewall Configuration button

Next, search for the TCP_IN and TCP_OUT functions. Just remove the port number from here.

Once that's done , scroll down to the bottom of the page (it's long, so you may want to drag down from the sidebar) and hit Change

Wikipedia has a guide that lists ports and their standard uses:

Blacklist or Whitelist countries from accessing your server completely
Before you start, note that IP address lists are large enough that using this option can potentially cause your server speed to drop, so keep a note of it for a week or two after making the change. It will also prevent any email or web traffic from countries not whitelisted. The upside, of course, is that this has a significant positive effect on your server security. One more thing, the country IP lists are about 99% correct, meaning it's 1% incorrect, so this may be an area you should look into should a client be unable to access your server.

You can also apply blocks on a per cPanel account basis. Click here for a tutorial. The tutorial assumes your server has Geo_IP installed. Feel free to contact us if you're unsure. Note that this method only blocks the web ports 80 and 443.

First, click on the Firewall Configuration button.

Next, find the CC_ALLOW_FILTER option. This creates a whitelist of countries which can access your server. Just above that is a CC_DENY option which can be used to create a blacklist. We don't recommend using the CC_ALLOW option as it's less secure than _FILTER

To view a list of country codes, click here and look at the bottom of the page.

Afterwards, you will need to scroll down and enable LF_IPSET (this helps with the load on your server).


Once that's done , scroll down to the bottom of the page (it's long, so you may want to drag down from the sidebar) and hit Change.

Did you find this article useful?  

Related Articles

© Crucial