Remove unnecessary port access with CSF/LFD firewall in cPanel

[kpmedia]

With the convenient ConfigServer Security & Firewall free plugin for cPanel, you can quickly block unnecessary ports.

Go to the CSF page -- usually https//server.com:2087/cgi/addon_csf.cgi -- and select Port Settings from the dropdown menu.
You'll see a list of all the ports allowed by the server's firewall. Inversely, non-listed ports will be blocked by default.

One of the primary fundamentals of security is to revoke any unnecessary access.

You'll see these default ports on most cPanel servers:

Code:

# Allow incoming TCP ports
TCP_IN = 20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096

# Allow incoming UDP ports
UDP_IN = 20,21,53

These ports correspond to the following services:

• 20 = FTP ... remove if ftp not used
• 21 = FTP ... remove if ftp not used
• 22 = SSH ... the ssh/sshd service should be moved to an alternate port to avoid brute force attacks; also disable root logins!
• 25 = SMTP ... the smtp service should be moved to an alternate port to avoid abuse.
• 53 = DNS
• 80 = HTTP
• 110 = POP3 ... remove if pop3 is not in use (webmail only, or not using mail on server)
• 143 = IMAP ... remove if imap service (mostly used by mobile mail) not in use
• 443 = HTTPS (http + SSL)
• 465 = SMTP + SSL ... remove if no ssl certificate is in use; plus its legacy/deprecated anyhow
• 587 = SMTP alternate to 25
• 993 = IMAP + SSL ... remove if imap and/or imap with an ssl certificate is not in use
• 995 = POP3 + SSL ... remove if pop3 and/or pop3 with an ssl certificate is not in use
• 2077 = webdisk ... remove if not in use
• 2078 = webdisk ... remove if not in use
• 2082 = cPanel login via http ... remove; always login to cPanel with 2083 (SSL), even if self-signed
• 2083 = cPanel secure login
• 2086 = WHM login via http ... remove; always login to WHM with 2087 (SSL), even if self-signed
• 2087 = WHM secure login
• 2095 = cPanel webmail login via http ...remove; always login to webmail with 2096 (SSL), even if self-signed
• 2096 = cPanel secure login for webmail (includes SquirrelMail, Roundcube, AtMail Open, others)

Key:

• Leave non-bold, non-color items alone.
• Bolded items can be removed if not used.
• Red bolded items provide unnecessary and/or unsafe access and should be blocked and/or changed to alternate ports.

Note that this can/should be repeated in the IPv6 section, if the server has IPv6 access.

Code:

# Allow incoming IPv6 TCP ports
TCP6_IN = 22,25,53,80,110,143,443,465,587

And that's it for this mini-guide. I hope it helps you.

__________________

Need a good host?
Find one here --> List of the Best Web Hosts in 2012 - Shared, reseller and VPS hosting