WHM Firewall: Unblocking IPs, Whitelisting and Blacklisting IPs, Blocking Countries and Ports

  Print

WHM Firewall: Unblocking IPs, Whitelisting and Blacklisting IPs, Blocking Countries and Ports


Note: This tutorial is designed for VPS and Dedicated Servers. To maintain server security, clients using Personal, Business, Premium and Reseller plans do not have access to the CSF firewall.


Editing the firewall is an advanced function. This should be approached with care, as it is possible to block access to your server entirely. Unblocking IPs is generally fine to do, but for other functions, please feel free to contact our support team if you are unsure.


How to access the WHM Firewall
Log into WHM as root and navigate to ConfigServer Security & Firewall.

fwaccess.png

If you do not have your server's root logins, Managed VPS clients can find them by following this guide. Our support team can also reset and send these logins out if required.

Unblock IP addresses

Step 1 - If your own IP is blocked, note down your IP (you can find it using ipchecker.com.au) then tether your phone's internet connection to your computer (your ISP or IT team should be able to assist with doing this). You'll now be able to connect from another IP address that isn't blocked, and you will be able to unblock your main IP.

If another user is blocked, have them visit the website ipchecker.com.au from the device in question and note down their IP.


Step 2 - Access the WHM firewall as above.


Step 3 - Find the Search for IP section. Input the blocked IP address, then hit Enter or click on the Search for IP button.

unblockip1.png




Step 4 - If the IP is blocked you'll see this screen. Take note of the reason for the block. Click the green Unblock button to unblock the IP.

unblockip2.png




Step 5 - Once the IP is unblocked you will see this screen. Click Return.

unblockip3.png




Note
: This doesn't stop the IP from being blocked again. To find the exact reason for the block you will need to check error logs. The block message will give some guidance as to which error logs to check first.


Step 6 - On the ConfigServer Security and Firewall main page, select Search System Logs.

4ccb10038bd5194dc282c7f7d5207aee8aa56695?t=4d289fad90d482feae24e5a2e0bc3a1d




Step 7 - Select the log to search in. A few common reasons for a firewall block and their associated logs are included below.

21641b72cf6c6c81f19a43e689bdcc8effe3b277?t=523e6365eb9c2ee76f40bb2306a3c9c0


Failed IMAP/POP login: /var/log/maillog
Failed SMTP login: /var/log/exim_mainlog
Failed cPanel login: /usr/local/cpanel/logs/access_log
Failed FTP login: /var/log/messages
Failed SSH login: /var/log/messages or /var/log/secure



Step 8 - Enter your IP address, select the 'wildcard' box if the IP block did not happen today, and select Search.

41a5b5655242976327a8f6ec36a94bd1135000d0?t=54fe60bdfdbc450bacc785a24b585279




Step 9 - Investigate the logs for clues as to what caused the block. In this example, we can see large amounts of failed email logins from someone with the username 'test@yourdomain.com'. We'd recommend contacting any person on this IP address who uses this email account, and confirming they have their emails set up correctly.

d0c3f9b24dc3d885acc31685cbe0bd903896d85a?t=b63e1c92004cbd62fb4a73aa091ea025




Alternatively, you could SSH into the server as root and run the corresponding commands, which would result in the same information being displayed. Replace '1.1.1.1' with the IP in question:

Failed IMAP/POP login: zgrep 1.1.1.1 /var/log/maillog* | grep fail

Failed SMTP login: zgrep 1.1.1.1 /var/log/exim_mainlog* | grep fail

Failed cPanel login: zgrep 1.1.1.1 /usr/local/cpanel/logs/access_log* | grep fail

Failed FTP login: zgrep 1.1.1.1 /var/log/messages* | grep fail

Failed SSH login: zgrep 1.1.1.1 /var/log/messages* | grep fail

If you're uncomfortable doing this, feel free to submit a support ticket, copy/paste the last line from Step 4 (starting with csf.deny) into the ticket, and we can help you find the cause of the block.



Whitelist or Blacklist IP addresses

WARNING:
You should only ever whitelist an IP address if you have confirmed with your ISP that the IP is static and won't ever be given to any device other than your home/office router. Even then, a visitor/employee with access to your network or someone accessing your network without authorisation will have unrestricted access to hack your server while connected to the network. If you're experiencing constant IP blocks due to failed passwords, we recommend setting a temporary IP whitelist for a few hours. Unless you have very specific technical requirements, there's never a good reason to permanently whitelist an IP.


To temporarily whitelist/blacklist an IP:

Step 1 - Access the WHM Firewall as above.

Step 2 - Look for the Temporary Allow/Deny option.
(1) Select either allow or deny.
(2) Input the IP address.
(3) Select the ports to whitelist/blacklist on. You can use * for all ports, or type one port or multiple separated by commas: e.g. '25,465,587'.
(4), (5) Select the amount of time you want the IP to remain in the list.
(6) Either press Enter or hit the Temporary Allow/Deny button.

tempallow.png




To whitelist an IP address permanently:

Step 1 - Access the WHM Firewall as above.

Step 2 - (1) Find the Quick Allow section, and add your IP address. We would recommend also leaving a comment (e.g. 'Office IP') so that you can tell why this IP was whitelisted later. Select Enter or the Quick Allow button.

Step 3 - (2) Find the Quick Ignore section, and add your IP address as well. Select Enter or the Quick Ignore button.

allow.png




To blacklist an IP address permanently:

Step 1 - Access the WHM Firewall as above.

Step 2 - Find the Quick Deny section, and add your IP address. (1) We would recommend also leaving a comment (e.g. 'Manually blocked for wp-login abuse') so that you can tell why this IP was blacklisted later. (2) Select Enter or the Quick Deny button.

blacklist.png



Remove a Whitelisted or Blacklisted IP
Step 1 - Access the WHM Firewall as above.


Step 2 - To remove a Whitelisted IP Click the Firewall Allow IPs button. To remove a Blacklisted IP click the Firewall Deny IPs button.

removelista.png
You will see a screen similar to the one bellow. Delete the whole line where the IP is listed and Change down the bottom.



Step 3 - Remove the IP in question from this list and click Change.

cd281a4f62c0487eeac8191469558eb7cf4327cc?t=6c2db9cebfe084f20060bef0ca217163




Step 4 - Click Edit next to the csf.ignore menu.

4dd4f0b42bbaf1f16475b6896b47ebb41ae3bddb?t=b6d6ac01282e55dbad9484416adadd7e




Step 5 - Remove the IP in question (if present) and click Change.

ead8624d0e3008a442bbffeaa4389d5693b748cb?t=d76330ca0f797e10cf992037108c0341



Block Ports

Blocking access through unused ports is helpful to reduce the avenues through which your server could be attacked. If your server is not used for email, if SSH access isn't used or if you only want secure SSL connections used for email, you can block the related ports on your server by removing them from the default allow list.

Wikipedia has a guide that lists ports and their standard uses: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers


Step 1 -
Access the WHM Firewall as above.


Step 2 - Click on the Firewall Configuration button.

portblock1.png




Step 3 - Search for the TCP_IN and TCP_OUT functions. Remove the unused port numbers from these boxes.

portblock2.png




Step 4 - Scroll down to the bottom of the page (it's long, so you may want to drag down from the sidebar) and hit Change.

portblock3.png



Blacklist or Whitelist countries from accessing your server completely
Before you start, note that IP address lists are large enough that using this option can potentially cause your server speed to drop. We would recommend monitoring your server load and site load speeds for a week or two after making the change.
This will also prevent any email or web traffic from countries not whitelisted. The upside is that this has a significant positive effect on your server security. Finally, the country IP lists are about 99% correct. If a client can't access your server, it's worth performing a lookup on their IP to see if it is classified as the wrong country.

You can also apply blocks on a per-cPanel account basis. Click here for a tutorial. The tutorial assumes your server has Geo_IP installed, and only blocks ports 80 and 443.



Step 1 -
Access the WHM Firewall as above.


Step 2 - Click on the Firewall Configuration button.

28285c7156e6532f2415a5d2149e9331320c52ee?t=e92955c3119ba010973bec8d9f0a1905




Step 3 - Find the CC_DENY option. This can be used to prevent access from specific countries. Alternatively, below this is the CC_ALLOW_FILTER option. This creates a list of countries which can access your server normally, while IPs from countries not on this list will be refused access. Note that the 'CC_ALLOW' option should not be used.

98fbc9e912927503093b44cba711bdd11e9bde3d?t=2c56db85ae79b0525d90652e6dbe45e3




Step 4 - Add the required country codes into the Deny or Allow list. A list of country codes can be found at this link.


Step 5 - Scroll down and enable LF_IPSET (this helps mitigate the increased load on your server from these rules).

9b84854458298f9ec30a005806fbedb6b60fac79?t=25c1d8e7eddfac1f0b7339807d3e7a10




Step 6 - Scroll down to the bottom of the page (it's long, so you may want to drag down from the sidebar) and hit Change.

fabd77bb25c0357a84c4279a9f6941bbbbd5dcc0?t=e561bed215b23545311daddc18c38991




Did you find this article useful?  

Related Articles

© Crucial