The following procedure can be used to block IP addresses with the ConfigServer Firewall plugin in WHM.
IMPORTANT
ConfigServer Firewall software is not created by, provided by, or supported by cPanel. The following information is provided as a courtesy only, and cPanel support cannot provide assistance with performing the procedure outlined below. If you need assistance with configuring your ConfigServer Firewall, please reach out to ConfigServer support, or make use of the ConfigServer forums.
Also please keep in mind that it is possible to completely block yourself and others from accessing your server by editing firewall rules. Before making any changes to the firewall, you must confirm that you have console access to the server, meaning that you have the ability to connect to the server even if the server’s network is completely down or blocked. If you’re not sure how to do this, you must reach out to your hosting provider or datacenter for assistance with getting console access. cPanel support has no ability to assist with console access or firewall-related issues.
Procedure
To block a single IP address:
1. Login to WHM as the root user
2. Navigate to: Home »Plugins »ConfigServer Security & Firewall
3. Scroll down to: “csf – Quick Actions”
4. Enter the IP that you need to block in the pink box
5. Click “Quick Deny”
If you have more complex blocking requirements:
1. Login to WHM as the root user
2. Navigate to: Home »Plugins »ConfigServer Security & Firewall
3. Scroll to: “csf – ConfigServer Firewall”
4. Click the “Firewall Deny IPs” button
5. Review the configuration in full and review the comments to learn about the file
6. Take note that the comments mention that you can learn more by reading the /etc/csf/readme.txt file on the server
7. Next add your desired rule to the configuration. The following are some examples from the readme.txt.
NOTE: One thing that is not mentioned below is the fact that you can use CIDR notation to block a range of IP addresses. If you are unsure how to implement CIDR notation in this configuration, please reach out to the ConfigServer Forums or ConfigServer Support for advice. cPanel support does not have access to a reliable example of what blocking a range exactly looks like in this configuration.
/etc/csf/readme.txt
10. Advanced Allow/Deny Filters
###############################
In /etc/csf/csf.allow and /etc/csf/csf.deny you can add more complex port and
ip filters using the following format (you must specify a port AND an IP
address):
tcp/udp|in/out|s/d=port|s/d=ip|u=uid
Broken down:
tcp/udp : EITHER tcp OR udp OR icmp protocol
in/out : EITHER incoming OR outgoing connections
s/d=port : EITHER source OR destination port number (or ICMP type)
(use a _ for a port range, e.g. 2000_3000)
(use a , for a multiport list of up to 15 ports, e.g. 22,80,443)
s/d=ip : EITHER source OR destination IP address
u/g=UID : EITHER UID or GID of source packet, implies outgoing connections,
s/d=IP value is ignored
Note: ICMP filtering uses the "port" for s/d=port to set the ICMP type.
Whether you use s or d is not relevant as either simply uses the iptables
--icmp-type option. Use "iptables -p icmp -h" for a list of valid ICMP types.
Only one type per filter is supported
Examples:
# TCP connections inbound to port 3306 from IP 11.22.33.44
tcp|in|d=3306|s=11.22.33.44
# TCP connections outbound to port 22 on IP 11.22.33.44
tcp|out|d=22|d=11.22.33.44
Note| If omitted, the default protocol is set to "tcp", the default connection
direction is set to "in", so|
# TCP connections inbound to port 22 from IP 44.33.22.11
d=22|s=44.33.22.11
# TCP connections outbound to port 80 from UID 99
tcp|out|d=80||u=99
# ICMP connections inbound for type ping from 44.33.22.11
icmp|in|d=ping|s=44.33.22.11
# TCP connections inbound to port 22 from Dynamic DNS address
# www.configserver.com (for use in csf.dyndns only)
tcp|in|d=22|s=www.configserver.com
# TCP connections inbound to port 22,80,443 from IP 44.33.22.11
d=22,80,443|s=44.33.22.11
8. Once you have added your desired rules, click on the “Change” button at the bottom of the page
cPanel. “How to Block IPs with ConfigServer Firewall in WHM,” February 20, 2021. https://support.cpanel.net/hc/en-us/articles/1500002973762-How-to-block-IPs-with-ConfigServer-Firewall-in-WHM.