Block a port on certain IPs using CSF

DanH42

Active Member
Sep 11, 2011
35
0
56
Bloomington, IL
cPanel Access Level
Root Administrator
I've got a server with multiple public-facing IPs, and I'd like certain services to only be bound on certain IPs. Services like SSH and FTP can simply be configured to only bind to a single interface, but I've got a couple stubborn ones that insist on binding to them all.

What I'm basically looking for is something like CSF's TCP_IN option, but address-specific. For example, connections to 1.2.3.4:9000 are allowed, but connections to port 5.6.7.8:9000 are not.

On a semi-related note: is it possible to set cPanel to only make its control panel available on a certain IP? It's currently binding to a whole bunch of 20xx ports on every IP I add. I'd like things like WHM to only bind to a single IP.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Hello :)

There are no native features that allow you to control which IP addresses cpsrvd listens on. Feel free to submit a feature request for this via:

Submit A Feature Request

As a workaround, you would have to use a firewall to restrict access to the cPanel ports for particular IP addresses. You may want to ask on the CSF forums if you don't receive user-feedback for specific rules.

Thank you.
 

DanH42

Active Member
Sep 11, 2011
35
0
56
Bloomington, IL
cPanel Access Level
Root Administrator
I asked this question on the CSF forums last week, but haven't heard anything back. I was hoping maybe someone here would have a solution, since the cPanel forums are generally more responsive.

I'll look into a feature request for the issue.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Should be able to do it with CSF.

in /etc/csf/csf.deny:
Code:
tcp|in|d=2087|d=123.123.123.2
This would deny port 2087 on 123.123.123.2 but not other IPs allocated to the server. Create more rules to block other ports on other specific IP addresses.

Keep in mind if your remote IP is in csf.allow you'll bypass csf.deny; test from a non-whitelisted IP. I just checked with this rule on my server and it works fine to deny WHM on the non-main IP.
 
Last edited: