wiki:firewall
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| wiki:firewall [2023/06/08 22:23] – guidebeacon | wiki:firewall [2023/10/05 19:29] (current) – guidebeacon | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| The cPanel servers make use of various firewalling features | The cPanel servers make use of various firewalling features | ||
| - | |||
| - | '' | ||
| '' | '' | ||
| - | ===== CSF ===== | + | ===== cPHulk |
| + | '' | ||
| - | ==== Whitelisting IPs ==== | + | '' |
| - | IPs can be whitelisted two different ways, either via the web interface or SSH | + | The script that dumps the whitelist and country blacklist, and imports them into '' |
| - | If using the web interface: | + | ''/ |
| - | - Go to WHM > ConfigServer Security & Firewall | + | ==== Whitelist Management |
| - | - Click " | + | |
| - | - Under "csf - ConfigServer Firewall" | + | |
| - | - Add IP and comment to list how the rest are | + | |
| - | - Click Change | + | |
| - | - Click Restart csf+lfd | + | |
| - | If using shell/ssh | + | In general it is a good idea to whitelist administrative IPs to avoid getting banned. |
| - | - Edit ''/ | + | To do so: |
| - | - Add entries like the others and save the file | + | |
| - | - Run: '' | + | |
| - | ==== Removing Banned IPs ==== | + | - Go to WHM > cPHulk Brute Force Protection |
| + | - Click on Whitelist Management tab | ||
| + | - If logging in from an IP not on the list, there might be a popup with a button that can be pressed to add the current IP to the list. | ||
| + | - If not, add the IP to the box and put a comment with # character if needed. | ||
| + | - When done, click " | ||
| - | === CSF === | + | To remove an IP from the whitelist, just click delete from the same interface. |
| - | While the server only allows whitelisted IPs to connect, it might be possible that the server can ban someone that is on the list if they try to log in too many times. | + | Do not forget |
| - | - Under WHM > ConfigServer Security & Firewall | + | The script runs daily, but running |
| - | - Go to: csf - ConfigServer Firewall | + | |
| - | - Where it says: Search for IP, type in their IP and click Search. | + | |
| - | - If something comes back, click Return | + | |
| - | - Go to: csf - Quick Actions | + | |
| - | - Type in the IP to Quick Unblock and click the button | + | |
| + | **Do not forget to add the IP to each of the 2 accounts, master on chost and beacontechnology on kingscpw01.** | ||
| - | === cPHulk === | + | [[wiki: |
| - | cPHulk can also block IPs for various reasons. | + | ==== Blacklist Management ==== |
| - | To find blacklisted IPs: | + | Sometimes the user might be banned, or can't connect to a specific service for some unknown reason. It could be cPHulk blocking them. |
| - | Go to: WHM > cPHulk Brute Force Protection | + | To unblock: |
| - | Click " | + | |
| - | You should see all IPs block by cPHulk on this page | + | |
| - | If you want to remove an IP from the list, just click Delete and Continue | + | |
| - | You can also whitelist in cPHulk | + | - Go to WHM > cPHulk |
| + | - Click on Blacklist Management tab | ||
| + | - Search for the IP in question, if the IP is unknown, ask the user to go to: ipecho.net and read the IP back. | ||
| + | - When the record is located, click "Delete" | ||
| + | ==== Troubleshooting ==== | ||
| - | ===== Installation General Information ===== | + | It may be the case that sometimes the script gives an error for various reasons, here are some steps to try to fix it: |
| - | Two main things need to be set up | + | - Try rebooting server |
| - | + | - Try making a change in cpHulk like adding/ | |
| - | - CSF needs to be configured to not allow any ports | + | - Try this command: |
| - | - IPs need to be added to the '' | + | - try this command: WARNING, may result in getting locked out, add your IP to '' |
| - | + | ||
| - | ==== Installation ==== | + | |
| - | + | ||
| - | + | ||
| - | The administrative security policy requires that only specified Ips are allow to connect to the dev server. CSF is one of the most popular cPanel plugins to somewhat easily control the linux firewall. | + | |
| - | + | ||
| - | [[https:// | + | |
| - | + | ||
| - | Otherwise, run these commands: | + | |
| - | + | ||
| - | < | + | |
| - | cd /root | + | |
| - | wget https://download.configserver.com/csf.tgz | + | |
| - | tar -xzf csf.tgz | + | |
| - | cd csf | + | |
| - | ./ | + | |
| - | + | ||
| - | # reboot server | + | |
| - | + | ||
| - | sed -ibak 's/^TESTING = " | + | |
| - | sed -r -ibak 's/^TCP_IN = " | + | |
| - | + | ||
| - | sync; csf -ra | + | |
| - | </ | + | |
| ===== Host Access Control ===== | ===== Host Access Control ===== | ||
| Line 109: | Line 78: | ||
| - When the WHM Host Access Control page is reloaded, the changes should now be reflected. | - When the WHM Host Access Control page is reloaded, the changes should now be reflected. | ||
| - | ===== cPHulk ===== | + | Also note that rules are dynamically loaded into nftables by '' |
| - | '' | + | ===== update_firewall.sh ===== |
| - | ==== Whitelist Management | + | This script help managing nftables |
| - | In general it is a good idea to whitelist administrative IPs to avoid getting banned. | + | <code bash update_firewall.sh> |
| + | #!/bin/bash | ||
| - | To do so: | + | # this script extends cpHulk to assist managing nftables. |
| - | - Go to WHM > cPHulk Brute Force Protection | + | # country codes selected |
| - | - Click on Whitelist Management tab | + | # whitelisted ips will be included as administratively allowed |
| - | - If logging | + | |
| - | - If not, add the IP to the box and put a comment with # character if needed. | + | |
| - | - When done, click " | + | |
| - | To remove an IP from the whitelist, just click delete from the same interface. | + | set -e |
| + | trap 'catch $? $LINENO' | ||
| - | ==== Blacklist Management ==== | + | catch() { |
| + | if [ " | ||
| + | echo failed to update firewall rules | ||
| + | echo "Error $1 occurred on $2" | ||
| + | fi | ||
| + | } | ||
| - | Sometimes the user might be banned, or can't connect to a specific service for some unknown reason. It could be cPHulk blocking them. | + | geoipdir='/ |
| - | To unblock: | + | whitelist=$(mktemp) |
| + | blacklist=$(mktemp) | ||
| - | - Go to WHM > cPHulk Brute Force Protection | + | # get list of CCs that are blocked |
| - | - Click on Blacklist Management tab | + | cclist=$( whmapi1 |
| - | - Search | + | |
| - | - When the record | + | |
| + | # loop over list and concat all subnets from cpanel free geoip | ||
| + | for i in ${cclist//,/ }; do | ||
| + | grep -oP ' | ||
| + | done | ||
| + | |||
| + | # write list of whitelist ips to temp file | ||
| + | whmapi1 --output=json read_cphulk_records list_name=' | ||
| + | jq -r '.data.ips_in_list | keys[]' | ||
| + | |||
| + | # generate new rules for nftables | ||
| + | { | ||
| + | echo 'flush set inet filter ccblockset' | ||
| + | echo 'flush set inet filter adminwhitelist' | ||
| + | |||
| + | # create whitelist set | ||
| + | | ||
| + | cat $whitelist | tr ' | ||
| + | echo ' }' | ||
| + | |||
| + | # create blacklist set | ||
| + | echo -n 'add element inet filter ccblockset { ' | ||
| + | cat $blacklist | tr ' | ||
| + | echo ' }' | ||
| + | } | nft -f - | ||
| + | |||
| + | echo firewall was successfully updated | ||
| + | </ | ||
| + | |||
| + | ===== Allowing IPs to locked down cpanel accounts ===== | ||
| + | |||
| + | On some accounts, there is htaccess that whitelists IPs for extra security. | ||
| + | |||
| + | The htaccess is normally at: ''/ | ||
| + | |||
| + | The area you are looking for looks something like this: | ||
| + | |||
| + | < | ||
| + | allow from xxx.xxx.xxx.xxx | ||
| + | allow from xxx.xxx.xxx.xxx | ||
| + | allow from xxx.xxx.xxx.xxx | ||
| + | allow from xxx.xxx.xxx.xxx</ | ||
| + | |||
| + | Just add a similar new entry below the last one in the list | ||
wiki/firewall.1686263028.txt.gz · Last modified: 2023/06/08 22:23 by guidebeacon