Differences

This shows you the differences between two versions of the page.

--- wiki:firewall [2023/06/08 22:04] – [Whitelisting IPs] guidebeacon
+++ wiki:firewall [2023/10/05 19:29] (current) – guidebeacon
@@ Line 1: / Line 1: @@
 ====== Firewall ======
-Beacontechnology uses CSF to manage the linux firewall
+The cPanel servers make use of various firewalling features
-===== General Management =====
+''chost.beacontechnology'' uses ''Host Access Control'' to manage the Linux firewall (nftables).
-==== Whitelisting IPs ====
+===== cPHulk =====
-IPs can be whitelisted two different ways, either via the web interface or SSH
+''cPHulk'' is part of cPanel and will ban IPs that log too many login failures. ''cPHulk'' does not normally completely firewall off blocked IPs, and instead only blocks them from logging in. This is fixed by a custom script that imports these rules into nftables on a schedule.
-If using the web interface:
+''cPHulk'' has a whitelist, blacklist and country management feature. These are managed by the user.
-  - Go to WHM > ConfigServer Security & Firewall
+The script that dumps the whitelist and country blacklist, and imports them into ''nftables''.
-  - Click "csf" tab near the top, under the banners
-  - Under "csf - ConfigServer Firewall" click "Firewall Allow IPs"
-  - Add IP and comment to list how the rest are
-  - Click Change
-  - Click Restart csf+lfd
-If using shell/ssh
+''/etc/cron.daily/update_firewall.sh''
-  - Edit ''/etc/csf/csf.allow''
+==== Whitelist Management  ====
-  - Add entries like the others and save the file
-  - Run: ''csf -ra'' to restart/reload CSF
+In general it is a good idea to whitelist administrative IPs to avoid getting banned.
+To do so:
+  - Go to WHM > cPHulk Brute Force Protection
+  - Click on Whitelist Management tab
+  - If logging in from an IP not on the list, there might be a popup with a button that can be pressed to add the current IP to the list.
+  - If not, add the IP to the box and put a comment with # character if needed.
+  - When done, click "Add"
+To remove an IP from the whitelist, just click delete from the same interface.
+Do not forget to update the firewall by running the script: ''/etc/cron.daily/update_firewall.sh''
+The script runs daily, but running it now will immediately update the firewall.
+**Do not forget to add the IP to each of the 2 accounts, master on chost and beacontechnology on kingscpw01.**
+[[wiki:firewall#allowing_ips_to_locked_down_cpanel_accounts|Click here to learn more]]
+==== Blacklist Management ====
+Sometimes the user might be banned, or can't connect to a specific service for some unknown reason. It could be cPHulk blocking them.
+To unblock:
+  - Go to WHM > cPHulk Brute Force Protection
+  - Click on Blacklist Management tab
+  - Search for the IP in question, if the IP is unknown, ask the user to go to: ipecho.net and read the IP back.
+  - When the record is located, click "Delete"
+==== Troubleshooting ====
+It may  be the case that sometimes the script gives an error for various reasons, here are some steps to try to fix it:
+  - Try rebooting server
+  - Try making a change in cpHulk like adding/removing an IP and trying again
+  - Try this command: ''nft flush set inet filter ccblockset'' and try again
+  - try this command: WARNING, may result in getting locked out, add your IP to ''/etc/sysconfig/nftables.conf'' before proceeding... ''nft flush set inet filter adminwhitelist''
+===== Host Access Control =====
 New instructions:
-CSF is no longer necessary, baked into cPanel is now: Host Access Control
+CSF is no longer necessary, a basic firewall solution now comes with cPanel and is called ''Host Access Control''.
-Host Access Control provides a basic firewall interface that integrates with Linux nftables.
+''Host Access Control'' provides a basic firewall interface that integrates with Linux nftables.
 The current rules can be viewed by going to WHM > Host Access Control
@@ Line 42: / Line 77: @@
   - run the command: ''systemctl restart nftables.service''
   - When the WHM Host Access Control page is reloaded, the changes should now be reflected.
-==== Removing Banned IPs ====
-=== CSF ===
+Also note that rules are dynamically loaded into nftables by ''update_firewall.sh''.
-While the server only allows whitelisted IPs to connect, it might be possible that the server can ban someone that is on the list if they try to log in too many times.
+===== update_firewall.sh =====
-  - Under WHM > ConfigServer Security & Firewall
+This script help managing nftables
-  - Go to: csf - ConfigServer Firewall
-  - Where it says: Search for IP, type in their IP and click Search.
-  - If something comes back, click Return
-  - Go to: csf - Quick Actions
-  - Type in the IP to Quick Unblock and click the button
+<code bash update_firewall.sh>
+#!/bin/bash
-=== cPHulk ===
+# this script extends cpHulk to assist managing nftables.
-cPHulk can also block IPs for various reasons.
+# country codes selected in CPhulk will be banned at the IP level
+# whitelisted ips will be included as administratively allowed
-To find blacklisted IPs:
+set -e
+trap 'catch $? $LINENO' EXIT
-Go to: WHM > cPHulk Brute Force Protection
+catch() {
-Click "Blacklist Management"
+  if [ "$1" != "0" ]; then
-You should see all IPs block by cPHulk on this page
+    echo failed to update firewall rules
-If you want to remove an IP from the list, just click Delete and Continue
+    echo "Error $1 occurred on $2"
+  fi
+}
-You can also whitelist in cPHulk as well by going to the "Whitelist Management page". If you are whitelisting yourself from your current machine, you can just click "Add to Whitelist" on the red box.
+geoipdir='/usr/local/cpanel/3rdparty/share/geoipfree/country-cidrs'
+whitelist=$(mktemp)
+blacklist=$(mktemp)
-===== Installation General Information =====
+# get list of CCs that are blocked
+cclist=$( whmapi1 --output=json load_cphulk_config |
+          jq -r '.data.cphulk_config.country_blacklist' )
-Two main things need to be set up
+# loop over list and concat all subnets from cpanel free geoip
+for i in ${cclist//,/ }; do
+  grep -oP '(\d+\.){3}\d+/\d+' $geoipdir/$i | tr '\n' ',' >> $blacklist
+done
-  - CSF needs to be configured to not allow any ports
+# write list of whitelist ips to temp file
-  - IPs need to be added to the ''csf.allow'' list
+whmapi1 --output=json read_cphulk_records list_name='white' |
+        jq -r '.data.ips_in_list | keys[]' | grep -oP '(\d+\.){3}\d+' > $whitelist
-==== Installation ====
+# generate new rules for nftables
+{
+  echo 'flush set inet filter ccblockset'
+  echo 'flush set inet filter adminwhitelist'
+  # create whitelist set
+  echo -n 'add element inet filter adminwhitelist { '
+  cat $whitelist | tr '\n' ','
+  echo ' }'
-The administrative security policy requires that only specified Ips are allow to connect to the dev server. CSF is one of the most popular cPanel plugins to somewhat easily control the linux firewall.
+  # create blacklist set
+  echo -n 'add element inet filter ccblockset { '
+  cat $blacklist | tr '\n' ','
+  echo ' }'
+} | nft -f -
-[[https://docs.cpanel.net/knowledge-base/security/additional-security-software/#configserver-software|Click Here]] for the documentation to set up CSF.
+echo firewall was successfully updated
+</code>
-Otherwise, run these commands:
+===== Allowing IPs to locked down cpanel accounts =====
-<code>
+On some accounts, there is htaccess that whitelists IPs for extra security.
-cd /root
-wget https://download.configserver.com/csf.tgz
-tar -xzf csf.tgz
-cd csf
-./install.cpanel.sh
-# reboot server
+The htaccess is normally at: ''/home/username/public_html/.htaccess''
-sed -ibak 's/^TESTING = "1"/TESTING = "0"/'
+The area you are looking for looks something like this:
-sed -r -ibak 's/^TCP_IN = "[0-9,]+"/TCP_IN = ""/' /etc/csf/csf.conf
-sync; csf -ra
+<code>order allow,deny
-</code>
+allow from xxx.xxx.xxx.xxx
+allow from xxx.xxx.xxx.xxx
+allow from xxx.xxx.xxx.xxx
+allow from xxx.xxx.xxx.xxx</code>
+Just add a similar new entry below the last one in the list