The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Block a port on certain IPs using CSF

Discussion in 'Security' started by DanH42, Jun 12, 2014.

  1. DanH42

    DanH42 Active Member

    Joined:
    Sep 11, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bloomington, IL
    cPanel Access Level:
    Root Administrator
    I've got a server with multiple public-facing IPs, and I'd like certain services to only be bound on certain IPs. Services like SSH and FTP can simply be configured to only bind to a single interface, but I've got a couple stubborn ones that insist on binding to them all.

    What I'm basically looking for is something like CSF's TCP_IN option, but address-specific. For example, connections to 1.2.3.4:9000 are allowed, but connections to port 5.6.7.8:9000 are not.

    On a semi-related note: is it possible to set cPanel to only make its control panel available on a certain IP? It's currently binding to a whole bunch of 20xx ports on every IP I add. I'd like things like WHM to only bind to a single IP.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,830
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    There are no native features that allow you to control which IP addresses cpsrvd listens on. Feel free to submit a feature request for this via:

    Submit A Feature Request

    As a workaround, you would have to use a firewall to restrict access to the cPanel ports for particular IP addresses. You may want to ask on the CSF forums if you don't receive user-feedback for specific rules.

    Thank you.
     
  3. DanH42

    DanH42 Active Member

    Joined:
    Sep 11, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bloomington, IL
    cPanel Access Level:
    Root Administrator
    I asked this question on the CSF forums last week, but haven't heard anything back. I was hoping maybe someone here would have a solution, since the cPanel forums are generally more responsive.

    I'll look into a feature request for the issue.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Should be able to do it with CSF.

    in /etc/csf/csf.deny:
    Code:
    tcp|in|d=2087|d=123.123.123.2
    
    This would deny port 2087 on 123.123.123.2 but not other IPs allocated to the server. Create more rules to block other ports on other specific IP addresses.

    Keep in mind if your remote IP is in csf.allow you'll bypass csf.deny; test from a non-whitelisted IP. I just checked with this rule on my server and it works fine to deny WHM on the non-main IP.
     
    #4 quizknows, Jun 12, 2014
    Last edited: Jun 12, 2014
  5. DanH42

    DanH42 Active Member

    Joined:
    Sep 11, 2011
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bloomington, IL
    cPanel Access Level:
    Root Administrator
    Thanks, that's exactly what I was looking for!
     
Loading...

Share This Page