cPanel & WHM Version 92 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Firewall integration

benny@cpanel.net shared this idea 3 years ago
Open Discussion

As a server administrator and webhosting provider I would like cPanel to expand and deepen its firewall integration (specifically with iptables and firewalld), adding an interface in WHM that would allow root and root-enabled resellers to manage firewall rules.


This interface would likely also strongly impact (potentially obsolete) the Host Access Control interface, and strongly impact cPHulkD's interface.

Comments (9)

photo
2

This feature will protect the services:


  • sshd
  • pure-ftpd
  • pop3
  • cpaneld
  • smtp

in descending order of often attacks when sshd have the largest amount of attacks on hourly basis.

photo
2

cPanel trying to be everything to everyone will just reduce the speed of improvements to core services such as web server and interface improvements. There isn't really a good reason for cPanel to "reinvent the wheel" by trying to replace CSF which is such a fantastic free application already.

photo
1

CSF is a good tool but not perfect. if it will have the option to block all the attacks above and if it have quick and easy install it will give super security with small system effort

photo
1

Seem like it could be a good idea if cPanel were to concentrate on a firewall interface for firewalld that comes installed with Centos 7. Using iptables and CSF requires extra installs and configuring, but most single server admins do not need anything that complicated. This would be especially helpful if cphulk were to be integrated with it.

photo
1

I think an in-house firewall solution would be amazing and would complement cPHulk very well. In fact, you could turn cPHulk itself into a complete firewall solution.

photo
1

A well known plug-in provides all of the requested features......and much more ! cPanel would be better served by addressing features with no current interface, or by adding new features or enhancing existing features that no one else has written plug-ins for.

photo
1

If rpvw is referring to CSF I would reiterate that it does not use firewallD. (If there is another that is firewallD compatible, I am unaware of it.)


I created a duplicate feature request for a firewallD version (because I missed acenetgeorge's reference to firewallD above, thanks for merging, benny), so I'll re-post my thoughts from it below:


"Since CentOS now is going with firewallD as the default it would be nice (and I think pretty straightforward) to have an interface to run the various command line commands (firewall_cmd) to display/create/edit/remove rules in services. Also to create services and zones, and assign services to zones, and set the default zone; as well as basic firewalD control (restaart,/enable/disable). Adding permanence control would be good also. All of these things are easily done via command line, but managing rules with an overall view would be easier/faster in a GUI, and dealing with things like IP blocking would be quicker as well.

To me it seems pretty simple since the firewall_cmd is already available, it's simply a matter of automating the execution... I would think."

photo
3

I should imagine that if CSF determine that firewallID zones/services has any benefits over their current chains/rules based system, they will rapidly adopt it !

Bear in mind that it is supplied as a disabled service in CentOS 7 and needs to be enabled. As things stand, I believe this service is incompatible with the current CFS and, more importantly, LFD processes. I also cannot find if firewallD is compatible with ipset, perhaps someone can clear that up?

Once all the distros that cPanel supports have firewallD installed in them by default, the question of a cPanel interface to firewallD can be revisited. Having the option to install CSF and then enable firewallD under cPanel control is a disaster waiting to happen that WILL happen, because so few people bother to read the documentation before clicking. So, it falls to cPanel to protect their users from themselves by having to include code in their system to examine if CSF is installed and therefore we cant enable firewallD. or if firewallD is active we wont allow the installation of CSF ................... I still maintain that cPanel have better things to code than trying to reinvent the wheel ................ leave it to CSF to look after the firewall and let cPanel do what they do best (and where is the coffee module huh,huh,huh ?)

As a couple of last thoughts, will firewallD still be around when iptables is dropped and we all go over to nftables? and for how long will the developers of firewallD maintain the project? and is firewallD really targeted and suitable for complex server deployment and control, or rather at desktop use for novices?

photo
1

I agree with the logic of rpvw, but the cPsnel docs say this:


Servers that run the CentOS 7, CloudLinux 7, and RHEL 7 operating systems require that you use the firewalld daemon.

  • While you can use the iptables command for temporary firewall rules, we recommend that you only use the firewall utilities on CentOS 7, CloudLinux 7, and RHEL 7 servers.


I can find posts on the cPAnel help forum about ipTables vs. CSF vs. firewallD, and also (unofficial) how tos on how to switch to CSF from firewallD on CentOS 7, but the cPanel response on those is along the lines of "try it and let us know how it works."


On one hand cPanel admonishes "only use the firewall utilities" but then point us to (unofficial) posts on how to not do that, and to links to RHEL docs on firewallD (which also include how to incorporate iptables use along with or even instead of firewallD, no mention of CSF of course).

Part of me feels like firewallD is the way to go (my current configuration) because it appears to be the direction the OS is going (though it comes with no firewall enabled), and another part of me feels like CSF would be more desirable as a management tool and just as effective as firewallD.


So this leaves me wanting to ask cPanel for an official stance on this. cPanel, time to weigh in...!

photo
1

PS-regarding the last question about firewallD, iptables, and nftables, I found these interesting.

https://www.digitalocean.com/community/tutorials/how-to-migrate-from-firewalld-to-iptables-on-centos-7

https://www.centos.org/forums/viewtopic.php?t=57091


and

firewall_stack

photo
2

My great thanks to Pete Schaefers for the obvious depth of research, and time, he has dedicated to this, I have certainly learned a great deal.

I do feel that we should NOT be debating the merits of the firewalld software here - this is about whether cPanel should expend resources developing an interface to control firewall entries.

To date, cPanel has had no interface, relying on command line instruction, or the third party provided CSF interface that gives us so much more than just a set of static rules.

Irrespective of what intermediate instruction set is ultimately used to control the netfilters, I still think that cPanel should stay out of the firewall business.. Since the docs already suggest that cPanel includes the cpanel service, which manages all of the rules in the /etc/firewalld/services/cpanel.xml file, and the scripts to include them in your firewalld rules, I see no need to go any further.

Once we have all established what the common and future firewall landscape will look like, and seen what CSF produce and if/how they integrate CSF and LFD and all their associated services, utilities and facilities into using firewalld - cPanel can make a judgment call, but if CSF does adopt firewalld, I would see no reason for cPanel to reinvent the wheel by developing their own competing interface.

As an afterthought - I wonder if we are all going about this from the wrong direction - perhaps a far more universally useful tool, would be the ability to open a terminal window from inside WHM and then we could call things like the firewall-config firewalld graphical interface (and a whole host of other cl commands) directly ?!?

photo
2

Your last paragraph sums it up well, and though I desire the benefits of CSF (especially LFD), I am content to stay on firewallD from the CLI for now.

photo
2

Usually we are used to using a interface clean with Cpanel, it would be great if they integrated into a module the handling of the FirewallD Commands, for a optimal administration, such as fail2ban, that would be great.


With Cphulk they stop some of fail2ban would do, but if we want to protect more services like the rules, we can not.


Here I leave a small screenshot of a plugin that works with Webmin, something lighter than Cpanel and with less functionality, but at last gives an idea of ​​what we have talked about here.


Greetings and support the idea, I hope that soon in some update and we find the Firewalld plugin or better yet with the fail2ban


/f6eb973ad0016223445d4b7eefea7de1

photo
1

Agree with Juan regarding the benefits of having an integrated front end interface.


Here are some personal reasons for having the integrated interface - vs. a plugin or CLI:

- we already manage a variety of security features through WHM's interface (compiler access, cPHulk, Host Access, ModSecurity).

- Plugins may not be maintained over time

- My provider may not afford me the kernel modifications necessary to run CSF

- a UI front end to ipchains or firewalld would simplify the management

- we already have ipchains integrations from cPHulk and should enable more (i.e. from ModSecurity)

photo