Firewall Hardening Guide for WHM: Secure Your Server with Best Practice Settings

Posted on Latest In Blogs
34

Securing your server using CSF (ConfigServer Security & Firewall) goes far beyond just RESTRICT_SYSLOG. Below is a comprehensive, security-hardened configuration guide for your WHM server running CSF v14.24, including:

  • Must-change core firewall settings

  • Brute-force protection (LFD)

  • Process tracking

  • Port security

  • Email alerts

  • Bonus hardening settings

🔐 1. Log Access Protection

✅ Set:

ini
RESTRICT_SYSLOG = "3" # Most secure setting, only root can access logs

✅ Optional:

ini
SYSLOG_CHECK = "1800" # Check syslog access every 30 minutes

🔐 2. Brute Force Protection (LFD)

These settings help defend against login attacks for SSH, cPanel, WHM, email, etc.

✅ Basic brute force protection

ini
LF_TRIGGER = "5" # Block after 5 failed logins (global)
LF_SSHD = "1" # Enable SSH brute force detection
LF_FTPD = "1" # FTP login failure detection
LF_POP3D = "1" # Email login failure detection
LF_IMAPD = "1"
LF_CPANEL = "1" # cPanel/WHM login failure detection
LF_WEBMIN = "1"
LF_HTACCESS = "1"
LF_MODSEC = "1" # ModSecurity brute force detection

✅ Permanent block for known bad behavior:

ini
LF_PERMBLOCK = "1"
LF_PERMBLOCK_COUNT = "10"
LF_PERMBLOCK_INTERVAL = "3600"

🧠 3. Process Tracking (Anti-Exploit)

Detect and kill suspicious or excessive processes (common in shell injection attacks).

✅ Enable process tracking

ini
PT_LIMIT = "60"
PT_USERPROC = "10" # Limit user processes (good for shared hosting)
PT_USERMEM = "100" # Max MB of RAM a user's process can use
PT_ALL_USERS = "1"
PT_DELETED = "1" # Kill deleted but still running executables
PT_SSHDHUNG = "1" # Kill hung SSH sessions

🔐 4. Port Security

✅ Block unused ports (very important)

  • Edit this section:

ini
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
UDP_IN = "53"
UDP_OUT = "53,113,123"

⚠️ Only open what you use! Close FTP if unused (20,21), or SMTP if using remote mail.

📡 5. Connection Tracking

Protects against DoS or too many concurrent connections.

✅ Recommended:

ini
CT_LIMIT = "100" # Max connections per IP
CT_INTERVAL = "30" # Interval in seconds to check
CT_PERMANENT = "1" # Permanently block offenders

📧 6. Email Alerts

✅ Enable admin notifications:

ini
LF_EMAIL_ALERT = "1"
PS_EMAIL_ALERT = "1"
RESTRICT_UI = "1" # Restrict CSF Web UI to root only
LF_SCRIPT_ALERT = "1" # Alert when suspicious scripts are run

Set your email at:

ini
LF_ALERT_TO = "you@example.com"

👁 7. Directory Watching & Suspicious File Alert

✅ Recommended:

ini
LF_DIRWATCH = "300" # Check directories every 5 minutes
LF_DIRWATCH_DISABLE = "0"
LF_EXPLOIT = "1" # Alert on known exploit files

🧱 8. Firewall Rate Limiting

Mitigate port scanning and malicious scanning tools.

✅ SYN flood protection:

ini
SYNFLOOD = "1"
SYNFLOOD_RATE = "100/s"
SYNFLOOD_BURST = "150"

🚫 9. Disable Ping (optional)

You can block ping requests (ICMP):

ini
ICMP_IN = "0"

⚠️ Note: If you monitor uptime externally (e.g. Pingdom), keep this enabled.

🧹 10. Clean Up and Audit

✅ Block users from compiling code (useful in shared hosting):

ini
EXEC_USR_DIR = "1"

✅ Disable IP spoofing and fragment attacks:

ini
DROP_INVALID = "1"

📤 Backup Configuration

After applying all settings:

  1. Scroll to the bottom

  2. Click “Change” and then “Restart csf+lfd”

  3. Go back to the main CSF page

  4. Use “Backup firewall configuration” to export your setup

🧪 Final Tips

  • Use csf -r from SSH if WHM GUI hangs.

  • Regularly check /var/log/lfd.log for alerts and tune as needed.

  • Pair CSF with ModSecurity and ClamAV for full-stack protection.