Prevent abuse of outgoing traffic for ports 80 and 443

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
I've created the rule below to protect against abuse on outbound traffic. But I wonder if this rule will not break the cpanel in any way?

Code:
/sbin/iptables -N OUT_DOS_ATTACK
/sbin/iptables -A OUTPUT -p tcp -m multiport --dport 80,443 --syn -m connlimit --connlimit-above 50 -j OUT_DOS_ATTACK
/sbin/iptables -A OUT_DOS_ATTACK -j LOG --log-prefix "OUT_DOS_ATTACK: " --log-level 6
/sbin/iptables -A OUT_DOS_ATTACK -j DROP
This rule limits the outbound connection to ports 80 and 443.
I appreciate if anyone knows if there is a better way to protect outbound traffic, or if I should add more ports!
 

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
A few minutes running this rule I see this:

Mar 1 00:15:02 server-host kernel: OUT_DOS_ATTACK: IN= OUT=enp0s3 SRC=123.456.789.180 DST=50.115.17.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34633 DF PROTO=TCP SPT=47872 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Mar 1 00:15:02 server-host kernel: OUT_DOS_ATTACK: IN= OUT=enp0s3 SRC=123.456.789.180 DST=104.28.16.48 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32428 DF PROTO=TCP SPT=52718 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Cpanel IP: 50.115.17.252

Is there any secure connection limit value or should I abandon this rule?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
  • Like
Reactions: Rodrigo Gomes

Rodrigo Gomes

Well-Known Member
Apr 6, 2016
128
29
78
Brazil
cPanel Access Level
Root Administrator
Hello Michael!

Actually I'm not having issues.
I made this rule as a prevention because I do not want my server to make too many outbound connections.
I know I need to allow some output connections for normal system operation.
So I'd like to implement a limit that does not break the cpanel in any way.

And I would also like other opinions about this from the community.
Currently CSF allows the following outbound connections by default:

TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,587,873,993,995,2073,2077,2078,2079,2080,2082,2083,2086,2087,2089,2095,2096,2703,3306,5353
UDP_OUT = 20,21,53,113,123,465,873,6277,24441,5353
That's a lot of ports, is it really necessary? Can I block some of these outgoing ports or limit the amount of connections to it?

I'm setting up a server that will host many shared websites.
That way I want to tighten your security to avoid abuses that could harm the reputation of our IP.

Let me know if I'm being too paranoid! And if it is better to abandon this rule. I will really appreciate another opinion on this subject.
As always, thank you!
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
  • Like
Reactions: Rodrigo Gomes