Guide

User Tools

Site Tools

Trace:
wiki:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
wiki:firewall [2023/06/08 22:25] guidebeaconwiki:firewall [2023/10/05 19:29] (current) guidebeacon
Line 2: Line 2:
  
 The cPanel servers make use of various firewalling features The cPanel servers make use of various firewalling features
- 
-''dev.beacontechnology.com'' uses ''CSF'' to manage the Linux firewall (iptables). 
  
 ''chost.beacontechnology'' uses ''Host Access Control'' to manage the Linux firewall (nftables). ''chost.beacontechnology'' uses ''Host Access Control'' to manage the Linux firewall (nftables).
Line 9: Line 7:
 ===== cPHulk ===== ===== cPHulk =====
  
-''cPHulk'' is part of cPanel and will ban IPs that log too many login failures.+''cPHulk'' is part of cPanel and will ban IPs that log too many login failures. ''cPHulk'' does not normally completely firewall off blocked IPs, and instead only blocks them from logging in. This is fixed by a custom script that imports these rules into nftables on a schedule. 
 + 
 +''cPHulk'' has a whitelist, blacklist and country management feature. These are managed by the user. 
 + 
 +The script that dumps the whitelist and country blacklist, and imports them into ''nftables''
 + 
 +''/etc/cron.daily/update_firewall.sh''
  
 ==== Whitelist Management  ==== ==== Whitelist Management  ====
Line 24: Line 28:
  
 To remove an IP from the whitelist, just click delete from the same interface. To remove an IP from the whitelist, just click delete from the same interface.
 +
 +Do not forget to update the firewall by running the script: ''/etc/cron.daily/update_firewall.sh''
 +
 +The script runs daily, but running it now will immediately update the firewall.
 +
 +**Do not forget to add the IP to each of the 2 accounts, master on chost and beacontechnology on kingscpw01.**
 +
 +[[wiki:firewall#allowing_ips_to_locked_down_cpanel_accounts|Click here to learn more]]
  
 ==== Blacklist Management ==== ==== Blacklist Management ====
Line 35: Line 47:
   - Search for the IP in question, if the IP is unknown, ask the user to go to: ipecho.net and read the IP back.   - Search for the IP in question, if the IP is unknown, ask the user to go to: ipecho.net and read the IP back.
   - When the record is located, click "Delete"   - When the record is located, click "Delete"
 +
 +==== Troubleshooting ====
 +
 +It may  be the case that sometimes the script gives an error for various reasons, here are some steps to try to fix it:
 +
 +  - Try rebooting server
 +  - Try making a change in cpHulk like adding/removing an IP and trying again
 +  - Try this command: ''nft flush set inet filter ccblockset'' and try again
 +  - try this command: WARNING, may result in getting locked out, add your IP to ''/etc/sysconfig/nftables.conf'' before proceeding... ''nft flush set inet filter adminwhitelist''
  
 ===== Host Access Control ===== ===== Host Access Control =====
Line 57: Line 78:
   - When the WHM Host Access Control page is reloaded, the changes should now be reflected.   - When the WHM Host Access Control page is reloaded, the changes should now be reflected.
  
-===== CSF =====+Also note that rules are dynamically loaded into nftables by ''update_firewall.sh''.
  
-CSF is a third party addon for cPanel.+===== update_firewall.sh =====
  
-==== Whitelisting IPs ====+This script help managing nftables
  
-IPs can be whitelisted two different ways, either via the web interface or SSH+<code bash update_firewall.sh> 
 +#!/bin/bash
  
-If using the web interface:+# this script extends cpHulk to assist managing nftables.
  
-  - Go to WHM > ConfigServer Security & Firewall +# country codes selected in CPhulk will be banned at the IP level 
-  - Click "csf" tab near the top, under the banners +# whitelisted ips will be included as administratively allowed
-  - Under "csf - ConfigServer Firewall" click "Firewall Allow IPs" +
-  - Add IP and comment to list how the rest are +
-  - Click Change +
-  - Click Restart csf+lfd+
  
-If using shell/ssh+set -e 
 +trap 'catch $? $LINENO' EXIT
  
-  - Edit ''/etc/csf/csf.allow'' +catch() { 
-  - Add entries like the others and save the file +  if [ "$1" != "0" ]; then 
-  - Run: ''csf -ra'' to restart/reload CSF+    echo failed to update firewall rules 
 +    echo "Error $1 occurred on $2" 
 +  fi 
 +}
  
-==== Removing Banned IPs ====+geoipdir='/usr/local/cpanel/3rdparty/share/geoipfree/country-cidrs'
  
-=== CSF ===+whitelist=$(mktemp) 
 +blacklist=$(mktemp)
  
-While the server only allows whitelisted IPs to connect, it might be possible that the server can ban someone that is on the list if they try to log in too many times.+# get list of CCs that are blocked 
 +cclist=$( whmapi1 --output=json load_cphulk_config | 
 +          jq -r '.data.cphulk_config.country_blacklist' )
  
-  - Under WHM > ConfigServer Security & Firewall +# loop over list and concat all subnets from cpanel free geoip 
-  - Go to: csf - ConfigServer Firewall +for i in ${cclist//,/ }; do 
-  - Where it says: Search for IPtype in their IP and click Search. +  grep -oP '(\d+\.){3}\d+/\d+' $geoipdir/$i | tr '\n' ',' >> $blacklist 
-  - If something comes backclick Return +done
-  - Go to: csf - Quick Actions +
-  - Type in the IP to Quick Unblock and click the button+
  
-=== cPHulk ===+# write list of whitelist ips to temp file 
 +whmapi1 --output=json read_cphulk_records list_name='white'
 +        jq -r '.data.ips_in_list | keys[]' | grep -oP '(\d+\.){3}\d+' > $whitelist
  
-cPHulk can also block IPs for various reasons.+# generate new rules for nftables 
 +
 +  echo 'flush set inet filter ccblockset' 
 +  echo 'flush set inet filter adminwhitelist'
  
-To find blacklisted IPs:+  # create whitelist set 
 +  echo -n 'add element inet filter adminwhitelist { ' 
 +  cat $whitelist | tr '\n' ',' 
 +  echo ' }'
  
-Go to: WHM > cPHulk Brute Force Protection +  # create blacklist set 
-Click "Blacklist Management" +  echo -n 'add element inet filter ccblockset { ' 
-You should see all IPs block by cPHulk on this page +  cat $blacklist | tr '\n' ',
-If you want to remove an IP from the listjust click Delete and Continue+  echo ' }' 
 +} | nft -f -
  
-You can also whitelist in cPHulk as well by going to the "Whitelist Management page". If you are whitelisting yourself from your current machine, you can just click "Add to Whitelist" on the red box.+echo firewall was successfully updated 
 +</code>
  
-===== Installation General Information =====+===== Allowing IPs to locked down cpanel accounts =====
  
-Two main things need to be set up+On some accounts, there is htaccess that whitelists IPs for extra security.
  
-  - CSF needs to be configured to not allow any ports +The htaccess is normally at: ''/home/username/public_html/.htaccess''
-  - IPs need to be added to the ''csf.allow'' list+
  
-==== Installation ====+The area you are looking for looks something like this:
  
-The administrative security policy requires that only specified Ips are allow to connect to the dev serverCSF is one of the most popular cPanel plugins to somewhat easily control the linux firewall.+<code>order allow,deny 
 +allow from xxx.xxx.xxx.xxx 
 +allow from xxx.xxx.xxx.xxx 
 +allow from xxx.xxx.xxx.xxx 
 +allow from xxx.xxx.xxx.xxx</code>
  
-[[https://docs.cpanel.net/knowledge-base/security/additional-security-software/#configserver-software|Click Here]] for the documentation to set up CSF. +Just add a similar new entry below the last one in the list
- +
-Otherwise, run these commands: +
- +
-<code> +
-cd /root +
-wget https://download.configserver.com/csf.tgz +
-tar -xzf csf.tgz +
-cd csf +
-./install.cpanel.sh +
- +
-# reboot server +
- +
-sed -ibak 's/^TESTING = "1"/TESTING = "0"/' +
-sed -r -ibak 's/^TCP_IN = "[0-9,]+"/TCP_IN = ""/' /etc/csf/csf.conf +
- +
-sync; csf -ra +
-</code>+
wiki/firewall.1686263151.txt.gz · Last modified: 2023/06/08 22:25 by guidebeacon
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki