ConfigServer Community Forum

Hi,

I'm having trouble getting CSF firewall to work...

My understanding is that the default behaviour is block/deny all. However this doesn't seem to be happening.

In csf.allow I have:

my.ip.address.here

And then I want to "Block all other access to port 22 / ssh"

I would have expected this to work by default if the default is deny all but nope.

I added the following to csf.deny:
tcp|in|d=22|s=0.0.0.0

And still I can SSH in from another IP

And if I add:
0.0.0.0/22

Again I can still SSH from another IP

I can only block IPs by using:
0.0.0.0/0

However this blocks ALL ports, so the end user cannot even see port 80/website.

Ultimately I want to:

Allow anyone to see port 80 and 433
Block everyone apart from my IPs on port 22 and 21

Any advice, most appreciated.

Many thanks

Hello rjbathgate,

My understanding is that the default behaviour is block/deny all. However this doesn't seem to be happening.

Configserver is simply an (advanced) shell around regular iptables in linux.
It blocks all ports except for

• Ports that are opened in csf.conf TPC_IN and UDP_IN values (for both ipv4 and ipv6)
• IPs that are whitelisted in allow.conf (for either specific ports or everything)

(anyone please correct me if I'm wrong)

I added the following to csf.deny:
tcp|in|d=22|s=0.0.0.0

There is no need for adding the above to deny.conf, you may remove it.
What you need to do is open csf.conf and simply make sure your TCP_IN option directive only contains port 80 and 443. Then proceed to whitelisting only the IPs you want access to all ports.

With below example in your csf.conf you should be able to achieve what you desire. Though I must note that closing all ports is safe but be sure you aren't closing off any critical services like DNS or email if you wish to use those.

I also would recommend you read through all options of the csf.conf, although maybe not a problem for you but csf by default monitors failed login attempts of ssh, cpanel and htacces even which could issue bans regardless, so be sure to add your ips to the csf.ignore

Hi

Ah ha

What you need to do is open csf.conf and simply make sure your TCP_IN option directive only contains port 80 and 443. Then proceed to whitelisting only the IPs you want access to all ports.

That makes sense, thanks.

However... in the meantime I have found, and set up the built in "Host Access Control" option in WHM -- didn't know it was built in until yesterday!

Thanks anyway for your help :-)

I would still recommend CSF, it implements numerous safety conventions and has a nice checklist to help you properly secure your server ( Cpanel still leaves a lot to chance ).