Firewall & Security

Firewall in ISP Manager is a software system that is configured on the server to deny/allow services based on a specified rule. The rule defines which services will be allowed through the firewall and which one should be avoided. The firewall module is used to handle the network connections and also create Firewall rules to accept or deny connections. There is an option in ISP Manager firewall to filter the requests coming from a particular country. In this tutorial, we are going to discuss how we can block a countries request in the ISP Manager Control Panel. 1) Login into the ISP manager. 2) Click on “Firewall” under the “Cluster Settings”. 3) Click on “Countries” which will lead to another page in which it will list all the countries. 4) In this page, you can see all the countries listed with their country code. You can select any country you would like to block the traffic and then click on “Block” as shown in the screenshot. 5)Click on “OK” to confirm your request. 6) Now you have blocked the traffic from the particular country you have selected. The glowing bulb means the traffic is blocked and the off bulb means the traffic is unblocked. This page shows which all countries traffic is blocked on the ISP manager control panel by looking at the status of the bulb symbol. If you need any further help please do reach our support department.

By any chance, if you get access denied when accessing cPanel account, do not try to login multiple time at that situation! If you are using wrong login credentials to access the cPanel and you have already tried 10 or 20 times in 5 minutes, then by that time your public IP will be blocked in the CSF firewall. So before trying to login to your cPanel account, you have to make sure that the Login credentials are correct and valid and they are the exact one in the Welcome Email Guide, that was sent to the registered email account with the hosting package. Block due to failed POP3/IMAP login attempts If you are seeing the error windows of IMAP/POP3 failed authentication in your email client, then most probably the login credentials you are currently using for the email account are outdated/incorrect. In this case, also you will end up with your IP get blocked in the CSF as the email client will not stop trying to access the mail server with that wrong credentials. Block due to failed SMTP login attempts Another way is that in any case if the SMTP authentication gets invalid so that you are unable to send email from the email client. So it is important to take care of the SMTP credentials to login, make sure that you are using the full email address and the correct password. Incorrect email client settings In some cases, the email client settings also cause for an IP block. Failed FTP/SSH loginIf you are accessing the server via FTP with some FTP client, then make sure that you are using the correct login details with the FTP client. Also if you are using incorrect port number to log in then also your IP get blocked in the firewall. Failed web page loginIn some cases, if the website needs authentication to further check as the website has some type of protected directory. Please make sure you use correct login details in the authentication box. Otherwise, there is a chance for your IP get blocked.   Edit CSF Configuration 1) SSH to the server. 2) Open the file csf.conf. # vi /etc/csf/csf.conf   3) Check the following parameters in the file csf.conf you have opened,  LT_POP3D = “value” In the place of value if you replace with a number then the failed POP3 login attempt times per hour per account per IP address is greater than the IP gets blocked. Put the value to zero to disable the option. Please keep in mind that the IP is blocked temporarily and it automatically unblocks after an hour! LT_IMAPD = “value” CSF will check the value corresponding to the LT_IMAPD and compare it the number of IMAP login failure and if the failure count is greater than the value mentioned hen the IP will be blocked. Using a high number is recommended other than putting zero as (0=option as disabled). Since this is the temporary block for an hour after that the IP will be unblocked!   LF_SSHD = “value” LF_SSHD_PERM = “value” These are the option in CSF to enabled to detect the login failure for sshd connections to the server. LF_FTPD = “value” LF_FTPD_PERM = “value” This option is enabled to check the login failure of ftp connections, compare the value with the login failure count and if the login failure is greater corresponding IP will be blocked. LF_SMTPAUTH = “value” LF_SMTPAUTH_PERM = “value” This parameter in the CSF will check the login failure of SMTP AUTH connections and the failure counts gets higher than the value set then the IP gets blocked. LF_POP3D = “value” LF_POP3D_PERM = “value” This option is enabled to check the login failure of pop3 connections to the server. LF_IMAPD = “value” LF_IMAPD_PERM = “value” Through this option enabled the CSF will check the login failure of imap connections to the server. 4) You need to restart the csf after that for the changes made to take effect server wide. Run the below command to restart the CSF.  # csf -r

By any chance, if you get access denied when accessing cPanel account, do not try to login multiple time at that situation! If you are using wrong login credentials to access the cPanel and you have already tried 10 or 20 times in 5 minutes, then by that time your public IP will be blocked in the CSF firewall. So before trying to login to your cPanel account, you have to make sure that the Login credentials are correct and valid and they are the exact one in the Welcome Email Guide, that was sent to the registered email account with the hosting package. Block due to failed POP3/IMAP login attempts If you are seeing the error windows of IMAP/POP3 failed authentication in your email client, then most probably the login credentials you are currently using for the email account are outdated/incorrect. In this case, also you will end up with your IP get blocked in the CSF as the email client will not stop trying to access the mail server with that wrong credentials. Block due to failed SMTP login attempts Another way is that in any case if the SMTP authentication gets invalid so that you are unable to send email from the email client. So it is important to take care of the SMTP credentials to login, make sure that you are using the full email address and the correct password. Incorrect email client settings In some cases, the email client settings also cause for an IP block. Failed FTP/SSH loginIf you are accessing the server via FTP with some FTP client, then make sure that you are using the correct login details with the FTP client. Also if you are using incorrect port number to log in then also your IP get blocked in the firewall. Failed web page loginIn some cases, if the website needs authentication to further check as the website has some type of protected directory. Please make sure you use correct login details in the authentication box. Otherwise, there is a chance for your IP get blocked. Edit CSF Configuration 1) SSH to the server. 2) Open the file csf.conf. # vi /etc/csf/csf.conf 3) Check the following parameters in the file csf.conf you have opened, LT_POP3D = “value” In the place of value if you replace with a number then the failed POP3 login attempt times per hour per account per IP address is greater than the IP gets blocked. Put the value to zero to disable the option. Please keep in mind that the IP is blocked temporarily and it automatically unblocks after an hour! LT_IMAPD = “value” CSF will check the value corresponding to the LT_IMAPD and compare it the number of IMAP login failure and if the failure count is greater than the value mentioned hen the IP will be blocked. Using a high number is recommended other than putting zero as (0=option as disabled). Since this is the temporary block for an hour after that the IP will be unblocked! LF_SSHD = “value” LF_SSHD_PERM = “value” These are the option in CSF to enabled to detect the login failure for sshd connections to the server. LF_FTPD = “value” LF_FTPD_PERM = “value” This option is enabled to check the login failure of ftp connections, compare the value with the login failure count and if the login failure is greater corresponding IP will be blocked. LF_SMTPAUTH = “value” LF_SMTPAUTH_PERM = “value” This parameter in the CSF will check the login failure of SMTP AUTH connections and the failure counts gets higher than the value set then the IP gets blocked. LF_POP3D = “value” LF_POP3D_PERM = “value” This option is enabled to check the login failure of pop3 connections to the server. LF_IMAPD = “value” LF_IMAPD_PERM = “value” Through this option enabled the CSF will check the login failure of imap connections to the server. 4) You need to restart the csf after that for the changes made to take effect server wide. Run the below command to restart the CSF.  # csf -r

The cPHulk is a service which provides protection for your server against brute force attacks. The cPHulk monitors web servers and following services. port 2083 cPanel service port 2087 WHM service dovecot and exim mail services. PureFTPd service SSH (Secure Shell) You can manage cPHulk brute force protection via WHM. WHM >> Home >> Security Center >> cPHulk Brute Force Protection. In this tutorial, I will show how to whitelist or blacklist an IP address in cPHulk. 1) Login to WHM as a root user. 2) Navigate to Security Center >> cPHulk Brute Force Protection. 3) To whitelist an IP address, select “Whitelist Management”, enter the IP address which you want to whitelist and click the button “Add”. 4) To blacklist an IP address, select “Blacklist Management”, enter the IP address which you want to blacklist and click the button “Add”.  

ModSecurity is an open-source web-based firewall application (or WAF). WAF is an application firewall used for HTTP applications. ModSecurity is supported by different web servers like Apache, Nginx and IIS. With over 70% of all attacks now carried out over the web application level and organizations need every help they can get in making their systems secure. Disable Mod-Security in cPanel If the rules of the mod-security tools are interfering with the operations of the website and you do not find modification of rules then the best solution is to disable mod-security. Here we can discuss about how to disable ModSecurity in your cPanel interface. 1) Login to your cPanel account. 2) Go to the section ‘Security’. 3) Click the icon ‘ModSecurity’. 4) Here you can see the option for enabling the ModSecurity. Click the button ‘Disable’. Now you can see a message ‘ModSecurity is disabled for all of your domains. 5) You can also disable mod_security for a particular domain, Select the domain you want to disable mod_security and click ‘Off’ button to disable. Disable mod_security using .htaccess file Create a .htaccess file in the root of your web directory. Then add the following: <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> We will not recommend to disable Mod-Security on your account. Mod_security module helps to protect your website from various attacks. If mod-security is disabled on your account, your website will be at risk from vulnerabilities. Once mod_security is turned off for an account, we will not take any responsibility of hacking the domain, database hacking, data manipulation and other activities which mod_security can prevent.

CSF is a security tool that can protect the server from various attacks such as brute force and also improve server security. Sometimes there will be some domains i.e., mostly for email hosts which have dynamic IPs so that we cannot block a particular IP to block the domain on our server. In order to resolve the issue, CSF will help you to do this. 1) First of all, go to CSF directory. cd /etc/csf 2) Open the CSF configuration file. vi csf.conf Then search for “DYNDNS” on the file and you can see some lines like below: DYNDNS = “0” This means that the function is disabled. Change it to “1” ie, DYNDNS = “1” and save the file.   Dynamic DNS (DDNS or DynDNS) It is a method of automatically updating a nameserver in the Domain Name Server (DNS), often in real time with active DDNS configuration of its configured hostnames, addresses or other information. The term DDNS is used to describe two different concepts. The first concept is “dynamic DNS updating” which refers to systems that are used to update traditional DNS records without manual editing. The second concept of dynamic DNS permits lightweight and immediate updates often using an update client, which do not use some standards for updating DNS records. These clients provide a persistent addressing method for devices that change their location, configuration or IP address frequently. 3) Restart the CSF service to activate this. service csf restart Also, you can set the time interval between the checks here. GLOBAL_DYNDNS_INTERVAL = “600” 4) Now, we need to specify the domain that we need to block in the CSF. For this, we need to edit the file csf.dyndns. vi /etc/csf/csf.dyndns 5) We have to add the domain name which we need to block and save the file. After that, restart CSF using the below command to activate this. csf -r In this way, you have to block the domains having dynamic IPs using CSF.