Prevent abuse of outgoing traffic for ports 80 and 443

Rodrigo Gomes

• February 28, 2017 22:06

I've created the rule below to protect against abuse on outbound traffic. But I wonder if this rule will not break the cpanel in any way?
/sbin/iptables -N OUT_DOS_ATTACK /sbin/iptables -A OUTPUT -p tcp -m multiport --dport 80,443 --syn -m connlimit --connlimit-above 50 -j OUT_DOS_ATTACK /sbin/iptables -A OUT_DOS_ATTACK -j LOG --log-prefix "OUT_DOS_ATTACK: " --log-level 6 /sbin/iptables -A OUT_DOS_ATTACK -j DROP
This rule limits the outbound connection to ports 80 and 443. I appreciate if anyone knows if there is a better way to protect outbound traffic, or if I should add more ports!

• 

  Rodrigo Gomes

  • March 01, 2017 03:12

  A few minutes running this rule I see this: Mar 1 00:15:02 server-host kernel: OUT_DOS_ATTACK: IN= OUT=enp0s3 SRC=123.456.789.180 DST=50.115.17.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34633 DF PROTO=TCP SPT=47872 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 Mar 1 00:15:02 server-host kernel: OUT_DOS_ATTACK: IN= OUT=enp0s3 SRC=123.456.789.180 DST=104.28.16.48 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32428 DF PROTO=TCP SPT=52718 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
  Cpanel IP: 50.115.17.252 Is there any secure connection limit value or should I abandon this rule?

  0
• 

  cPanelMichael

  • March 01, 2017 19:03

  Hello, Could you elaborate on the issue you are facing that's leading to you setting up these rules? For instance, some of the solutions referenced on the following threads are helpful: Prevent wordpress Brute Force Attacks Outbound wp-login.php brute force attack from my cpanel server Thank you.

  0
• 

  Rodrigo Gomes

  • March 01, 2017 21:58

  Hello Michael! Actually I'm not having issues. I made this rule as a prevention because I do not want my server to make too many outbound connections. I know I need to allow some output connections for normal system operation. So I'd like to implement a limit that does not break the cpanel in any way. And I would also like other opinions about this from the community. Currently CSF allows the following outbound connections by default: TCP_OUT = 20,21,22,25,26,37,43,53,80,110,113,443,465,587,873,993,995,2073,2077,2078,2079,2080,2082,2083,2086,2087,2089,2095,2096,2703,3306,5353 UDP_OUT = 20,21,53,113,123,465,873,6277,24441,5353
  That's a lot of ports, is it really necessary? Can I block some of these outgoing ports or limit the amount of connections to it? I'm setting up a server that will host many shared websites. That way I want to tighten your security to avoid abuses that could harm the reputation of our IP. Let me know if I'm being too paranoid! And if it is better to abandon this rule. I will really appreciate another opinion on this subject. As always, thank you!

  0
• 

  cPanelMichael

  • March 02, 2017 15:13

  Hello, I'll leave this thread open for additional user-feedback, but I did want to note the following document is useful to see which ports are required for cPanel services: How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation Thank you.

  0

Please sign in to leave a comment.