A very good way to increase your cPanel Server Security is to restrict FTP and cPanel Ports access to Countries where you do have customers, and deny the rest of the countries where you don’t have any customers.
Restrict FTP and cPanel Ports Access to Certain Countries
CSF Firewall is an incredible and advanced security suite that let us configure many things regarding how we can handle our network traffic. In this particular case, we can use CSF Firewall to block all access to FTP and cPanel Ports from places where you don’t have any customers.
Let’s suppose you are a local Brazilian company, due to language barriers you don’t have any traffic from other places rather than Brazil, or Portugal (both countries speak the same language, probably share same web hosting market and customers). You can restrict FTP and cPanel Ports access to this countries using CSF Firewall rules.
Let’s configure CSF to restrict FTP and cPanel Ports access to certain countries. Follow my steps:
Edit CSF Firewall configuration by running:
nano -w /etc/csf/csf.conf
Remove the following ports from your TCP_IN and UDP_IN variables.
20,21,2082,2083,2086,2087,2095,2096Now, hit CTRL + W and search for ‘CC_ALLOW_PORTS’ and include the countries where you do want to allow traffic from. Following our previous example of a brazilian hosting company, we could allow only traffic from Brazil and Portugal, for example:
CC_ALLOW_PORTS = "BR,PT"
Now search for this two variables: ‘CC_ALLOW_PORTS_TCP’ and ‘CC_ALLOW_PORTS_UDP’.
Configure those variables as you see below:
CC_ALLOW_PORTS_TCP = "20,21,2082,2083,2086,2087,2095,2096"
CC_ALLOW_PORTS_UDP = "20,21,2082,2083,2086,2087,2095,2096"That’s it, now you are allowing TCP and UDP traffic only for your allowed countries for the common FTP and cPanel (20,21), WHM (2082,2083) and Webmail (2095, 2096) ports.
Restart CSF and LFD to apply changes:
csf -r service lfd restart
Wait a couple of minutes, and restart csf again until you see something like this:
csf: FASTSTART loading CC_ALLOW_PORTS [br] (IPv4) csf: FASTSTART loading CC_ALLOW_PORTS [pt] (IPv4)
How can I deactivate this access restriction?
In order to deactivate this country restriction and allow all traffic from all countries, you just need to do the opposite steps than the previous stated before:
- Remove all values from CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP variables.
- Add your ports again to TCP_IN and UDP_IN
- Save your changes and restart CSF + LFD.
Conclusion
That’s all for today, at this point now you should know how to restrict FTP and cPanel Ports access to certain countries in CSF Firewall, this should increase your security a lot, and you should get less attacks from foreing countries than ever.
If some of your users complain they can’t reach your FTP or cPanel/WHM/Webmail ports, then first check out where are they located from, or if they are using a VPS connection. If they are travelling outside your allowed countries, you will need add those countries to your firewall rules.