Getting the most out of your system's firewall.

Overview
There are many different firewalls that are installed by default on Linux systems (ipfw, apf, iptables). This article is designed to help you get the most out of your system firewall software when using cPanel and WHM.

cPanel and WHM install and manage a number of different services on your system. Many of these services require an outside connection to function properly. Therefore, holes in the firewall will need to be opened for the ports that these services are running on. Rather than providing a default set of ports for you to open, this article will provide a list of ports used by cPanel and WHM and the respective services they manage in order for you to be able to set up rules for your server. You should only open ports that you will definitely be using.

Ports

Port Service TCP UDP Inbound Outbound Notes
20 FTP X X X SFTP over SSH is more secure than FTP
21 FTP X X X X
22 SSH X X
25 SMTP X X X
26 SMTP X X X Port 26 is only used if designated in Service Manager in WHM
37 rdate X X
43 whois X X
53 bind X X X X Only if you run a public DNS server on the system
80 http X X X
110 POP3 X X
113 ident X X
143 IMAP X X
443 https X X HTTP over SSL
465 SMTP TLS/SSL X X X X
873 rsync X X X
993 IMAP SSL X X
995 POP3 SSL X X
2078 WebDAV X X X X Used for Web Disks
2083 cPanel® X X Insecure on port 2082 (not recommended)
2087 WHMTM X X Insecure on port 2086 (not recommended)
2089 Licensing X X Must be open to contact license server
2096 Webmail X X Insecure on port 2095 (not recommended)
3306 MySQL® X X Only for remote connections
6666 chat X X Melange Chat Services

Of the above ports, it is only recommended to use the SSL version of each service if possible (except for HTTP and HTTPS which both can be used). Using a non-SSL version of those services means that information (such as logins and passwords) is submitted in plain text across the net for attackers to potentially intercept. You can use the Manage Service Certificates feature in WHM (WHM >> SSL/TLS >> Manage Service Certificates) to ensure that your services have SSL certificates installed.

Example Configurations
The following examples are used to show how to add rules with APF, iptables, and ipfw. These examples will not provide a complete solution to your firewall rules as you should always use the set of rules that matches your services, not a default set of rules that you copy and paste.

IPFW
To enable IPFW on FreeBSD, you’ll need to ensure that the line firewall_enable=”YES” is present in /etc/rc.conf. The firewall_script variable should be set to the path of your firewall rules. You can check your rules at any time by running ipfw list.

Here’s a sample rule file allowing HTTP and HTTPS access to your system. Please note that it assumes you are using eth0 as your public interface.

############### start #############

# Delete all rules

ipfw -q -f flush# primary public network interface

pif="eth0″

# no need to type this each time

cmd="ipfw -q add"

#allow all traffic on loopback

$cmd 00010 allow all from any to any via lo0

####### outbound traffic ##########

#allow packets that have already been allowed

$cmd -q add 00015 check-state

# Allow outbound HTTP

$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow outbound HTTPS

$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

####### inbound traffic ##########

# Allow inbound HTTP

$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# deny and log all other traffic

$cmd 00999 deny log all from any to any

################### End ############

For more information on IPFW, see the manual

APF
APF is basically a frontend for iptables that allows you to open or close ports easily without understanding iptables syntax. Here’s a sample of 2 rules to add to /etc/apf/conf.apf to allow HTTP and HTTPS access to your system:

# Common ingress (inbound) TCP ports

IG_TCP_CPORTS="80,443″# Common egress (outbound) TCP ports

EG_TCP_CPORTS="80″

For more information on APF, see the APF site.

iptables
While APF is simple to use, iptables offers more customization of your packet filtering rules. Iptables requires some knoeledge of the TCP/IP stack. Here’s an example of iptables rules for HTTP traffic on port 80. Please note that it assumes you have a DMZ set up on eth0 for 192.168.1.1 and a broadcast IP of 66.66.66.66

$IPTABLES -A FORWARD -p TCP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -dport 80 -j allowed

$IPTABLES -A FORWARD -p ICMP -i 66.66.66.66 -o eth0 -d 192.168.1.1 -j icmp_packets

For more information on iptables, see the iptables site or by typing man iptables from the command line.

What now?
From here, you’ll need to determine what firewall software to use and make sure you are familiar with its usage. Always remember to leave yourself a way back in when working with firewall rules so you don’t get locked out of your own server. A cron job that disables the firewall every 5 minutes is a simple way back in.

Other tools

  • Mod_Security – While not specifically a firewall, mod_security allows you to accept or deny http traffic based on a set of rules. It is fantastic for stopping DoS attacks against Apache and for preventing poorly coded applications from allowing access to your system
  • CSF – CSF is a security suite that enhances your security settings on cPanel and WHM servers in a number of ways. It is a great tool and includes firewall configuration
Posted in: News, Security | Tagged: ,