Firewall Hardening Guide for WHM: Secure Your Server with Best Practice Settings

Posted on Latest In Blogs
16

Securing your server using CSF (ConfigServer Security & Firewall) goes far beyond just RESTRICT_SYSLOG. Below is a comprehensive, security-hardened configuration guide for your WHM server running CSF v14.24, including:

  • Must-change core firewall settings

  • Brute-force protection (LFD)

  • Process tracking

  • Port security

  • Email alerts

  • Bonus hardening settings

๐Ÿ” 1. Log Access Protection

โœ… Set:

ini
RESTRICT_SYSLOG = "3" # Most secure setting, only root can access logs

โœ… Optional:

ini
SYSLOG_CHECK = "1800" # Check syslog access every 30 minutes

๐Ÿ” 2. Brute Force Protection (LFD)

These settings help defend against login attacks for SSH, cPanel, WHM, email, etc.

โœ… Basic brute force protection

ini
LF_TRIGGER = "5" # Block after 5 failed logins (global)
LF_SSHD = "1" # Enable SSH brute force detection
LF_FTPD = "1" # FTP login failure detection
LF_POP3D = "1" # Email login failure detection
LF_IMAPD = "1"
LF_CPANEL = "1" # cPanel/WHM login failure detection
LF_WEBMIN = "1"
LF_HTACCESS = "1"
LF_MODSEC = "1" # ModSecurity brute force detection

โœ… Permanent block for known bad behavior:

ini
LF_PERMBLOCK = "1"
LF_PERMBLOCK_COUNT = "10"
LF_PERMBLOCK_INTERVAL = "3600"

๐Ÿง  3. Process Tracking (Anti-Exploit)

Detect and kill suspicious or excessive processes (common in shell injection attacks).

โœ… Enable process tracking

ini
PT_LIMIT = "60"
PT_USERPROC = "10" # Limit user processes (good for shared hosting)
PT_USERMEM = "100" # Max MB of RAM a user's process can use
PT_ALL_USERS = "1"
PT_DELETED = "1" # Kill deleted but still running executables
PT_SSHDHUNG = "1" # Kill hung SSH sessions

๐Ÿ” 4. Port Security

โœ… Block unused ports (very important)

  • Edit this section:

ini
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
UDP_IN = "53"
UDP_OUT = "53,113,123"

โš ๏ธ Only open what you use! Close FTP if unused (20,21), or SMTP if using remote mail.

๐Ÿ“ก 5. Connection Tracking

Protects against DoS or too many concurrent connections.

โœ… Recommended:

ini
CT_LIMIT = "100" # Max connections per IP
CT_INTERVAL = "30" # Interval in seconds to check
CT_PERMANENT = "1" # Permanently block offenders

๐Ÿ“ง 6. Email Alerts

โœ… Enable admin notifications:

ini
LF_EMAIL_ALERT = "1"
PS_EMAIL_ALERT = "1"
RESTRICT_UI = "1" # Restrict CSF Web UI to root only
LF_SCRIPT_ALERT = "1" # Alert when suspicious scripts are run

Set your email at:

ini
LF_ALERT_TO = "you@example.com"

๐Ÿ‘ 7. Directory Watching & Suspicious File Alert

โœ… Recommended:

ini
LF_DIRWATCH = "300" # Check directories every 5 minutes
LF_DIRWATCH_DISABLE = "0"
LF_EXPLOIT = "1" # Alert on known exploit files

๐Ÿงฑ 8. Firewall Rate Limiting

Mitigate port scanning and malicious scanning tools.

โœ… SYN flood protection:

ini
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

๐Ÿšซ 9. Disable Ping (optional)

You can block ping requests (ICMP):

ini
ICMP_IN = "0"

โš ๏ธ Note: If you monitor uptime externally (e.g. Pingdom), keep this enabled.

๐Ÿงน 10. Clean Up and Audit

โœ… Block users from compiling code (useful in shared hosting):

ini
EXEC_USR_DIR = "1"

โœ… Disable IP spoofing and fragment attacks:

ini
DROP_INVALID = "1"

๐Ÿ“ค Backup Configuration

After applying all settings:

  1. Scroll to the bottom

  2. Click “Change” and then “Restart csf+lfd”

  3. Go back to the main CSF page

  4. Use “Backup firewall configuration” to export your setup

๐Ÿงช Final Tips

  • Use csf -r from SSH if WHM GUI hangs.

  • Regularly check /var/log/lfd.log for alerts and tune as needed.

  • Pair CSF with ModSecurity and ClamAV for full-stack protection.