Prevent abuse of outgoing traffic for ports 80 and 443

[Rodrigo Gomes]

I've created the rule below to protect against abuse on outbound traffic. But I wonder if this rule will not break the cpanel in any way?

/sbin/iptables -N OUT_DOS_ATTACK
/sbin/iptables -A OUTPUT -p tcp -m multiport --dport 80,443 --syn -m connlimit --connlimit-above 50 -j OUT_DOS_ATTACK
/sbin/iptables -A OUT_DOS_ATTACK -j LOG --log-prefix "OUT_DOS_ATTACK: " --log-level 6
/sbin/iptables -A OUT_DOS_ATTACK -j DROP

This rule limits the outbound connection to ports 80 and 443.
I appreciate if anyone knows if there is a better way to protect outbound traffic, or if I should add more ports!

 

[Rodrigo Gomes]

A few minutes running this rule I see this:

Mar 1 00:15:02 server-host kernel: OUT_DOS_ATTACK: IN= OUT=enp0s3 SRC=123.456.789.180 DST=50.115.17.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34633 DF PROTO=TCP SPT=47872 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Mar 1 00:15:02 server-host kernel: OUT_DOS_ATTACK: IN= OUT=enp0s3 SRC=123.456.789.180 DST=104.28.16.48 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32428 DF PROTO=TCP SPT=52718 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0

Cpanel IP: 50.115.17.252

Is there any secure connection limit value or should I abandon this rule?

 

[cPanelMichael]

Hello,

Could you elaborate on the issue you are facing that's leading to you setting up these rules? For instance, some of the solutions referenced on the following threads are helpful:

Prevent wordpress Brute Force Attacks
Outbound wp-login.php brute force attack from my cpanel server

Thank you.

 

[Rodrigo Gomes]

Hello Michael!

Actually I'm not having issues.
I made this rule as a prevention because I do not want my server to make too many outbound connections.
I know I need to allow some output connections for normal system operation.
So I'd like to implement a limit that does not break the cpanel in any way.

And I would also like other opinions about this from the community.
Currently CSF allows the following outbound connections by default:

TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,587,873,993,995,2073,2077,2078,2079,2080,2082,2083,2086,2087,2089,2095,2096,2703,3306,5353
UDP_OUT = 20,21,53,113,123,465,873,6277,24441,5353

That's a lot of ports, is it really necessary? Can I block some of these outgoing ports or limit the amount of connections to it?

I'm setting up a server that will host many shared websites.
That way I want to tighten your security to avoid abuses that could harm the reputation of our IP.

Let me know if I'm being too paranoid! And if it is better to abandon this rule. I will really appreciate another opinion on this subject.
As always, thank you!

 

[cPanelMichael]

Hello,

I'll leave this thread open for additional user-feedback, but I did want to note the following document is useful to see which ports are required for cPanel services:

How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation

Thank you.