Restrict FTP and cPanel Ports Access to Certain Countries in CSF Firewall

A very good way to increase your cPanel Server Security is to restrict FTP and cPanel Ports access to Countries where you do have customers, and deny the rest of the countries where you don’t have any customers.

Restrict FTP and cPanel Ports Access to Certain Countries

CSF Firewall is an incredible and advanced security suite that let us configure many things regarding how we can handle our network traffic. In this particular case, we can use CSF Firewall to block all access to FTP and cPanel Ports from places where you don’t have any customers.

Let’s suppose you are a local Brazilian company, due to language barriers you don’t have any traffic from other places rather than Brazil, or Portugal (both countries speak the same language, probably share same web hosting market and customers). You can restrict FTP and cPanel Ports access to this countries using CSF Firewall rules.

Let’s configure CSF to restrict FTP and cPanel Ports access to certain countries. Follow my steps:

Edit CSF Firewall configuration by running:

nano -w /etc/csf/csf.conf

Remove the following ports from your TCP_IN and UDP_IN variables.

20,21,2082,2083,2086,2087,2095,2096

Now, hit CTRL + W and search for ‘CC_ALLOW_PORTS’ and include the countries where you do want to allow traffic from. Following our previous example of a brazilian hosting company, we could allow only traffic from Brazil and Portugal, for example:

CC_ALLOW_PORTS = "BR,PT"

Now search for this two variables: ‘CC_ALLOW_PORTS_TCP’ and ‘CC_ALLOW_PORTS_UDP’.

Configure those variables as you see below:

CC_ALLOW_PORTS_TCP = "20,21,2082,2083,2086,2087,2095,2096"
CC_ALLOW_PORTS_UDP = "20,21,2082,2083,2086,2087,2095,2096"

That’s it, now you are allowing TCP and UDP traffic only for your allowed countries for the common FTP and cPanel (20,21), WHM (2082,2083) and Webmail (2095, 2096) ports.

Restrict FTP and cPanel Ports Access

Restart CSF and LFD to apply changes:

csf -r
service lfd restart

Wait a couple of minutes, and restart csf again until you see something like this:

csf: FASTSTART loading CC_ALLOW_PORTS [br] (IPv4)
csf: FASTSTART loading CC_ALLOW_PORTS [pt] (IPv4)

How can I deactivate this access restriction?

In order to deactivate this country restriction and allow all traffic from all countries, you just need to do the opposite steps than the previous stated before:

  • Remove all values from CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP variables.
  • Add your ports again to TCP_IN and UDP_IN
  • Save your changes and restart CSF  + LFD.

Conclusion

That’s all for today, at this point now you should know how to restrict FTP and cPanel Ports access to certain countries in CSF Firewall, this should increase your security a lot, and you should get less attacks from foreing countries than ever.

If some of your users complain they can’t reach your FTP or cPanel/WHM/Webmail ports, then first check out where are they located from, or if they are using a VPS connection. If they are travelling outside your allowed countries, you will need add those countries to your firewall rules.

 

About the Author: Martin Keler

Leave a Reply

Your email address will not be published. Required fields are marked *