Block a port on certain IPs using CSF
I've got a server with multiple public-facing IPs, and I'd like certain services to only be bound on certain IPs. Services like SSH and FTP can simply be configured to only bind to a single interface, but I've got a couple stubborn ones that insist on binding to them all.
What I'm basically looking for is something like CSF's TCP_IN option, but address-specific. For example, connections to 1.2.3.4:9000 are allowed, but connections to port 5.6.7.8:9000 are not.
On a semi-related note: is it possible to set cPanel to only make its control panel available on a certain IP? It's currently binding to a whole bunch of 20xx ports on every IP I add. I'd like things like WHM to only bind to a single IP.
-
Hello :) There are no native features that allow you to control which IP addresses cpsrvd listens on. Feel free to submit a feature request for this via: Submit A Feature Request As a workaround, you would have to use a firewall to restrict access to the cPanel ports for particular IP addresses. You may want to ask on the CSF forums if you don't receive user-feedback for specific rules. Thank you. 0 -
I asked this question on the CSF forums last week, but haven't heard anything back. I was hoping maybe someone here would have a solution, since the cPanel forums are generally more responsive. I'll look into a feature request for the issue. 0 -
Should be able to do it with CSF. in /etc/csf/csf.deny: tcp|in|d=2087|d=123.123.123.2
This would deny port 2087 on 123.123.123.2 but not other IPs allocated to the server. Create more rules to block other ports on other specific IP addresses. Keep in mind if your remote IP is in csf.allow you'll bypass csf.deny; test from a non-whitelisted IP. I just checked with this rule on my server and it works fine to deny WHM on the non-main IP.0 -
Thanks, that's exactly what I was looking for! 0
Please sign in to leave a comment.
Comments
4 comments