CSF (Install) - Attack monitoring on cPanel | GOLINE
Goline Logo



  • Route RPKI validation April 1st, 2022
    RPKI is a security framework by which network owners can validate and secure the critical route updates or Border Gateway Protocol (BGP) announcements between public Internet networks. BGP is essentially the central nervous system of the Internet and one of its fundamental building blocks. The main function of BGP is to facilitate efficient routing between Autonomous Systems (AS), by building and maintaining the Internet routing table. The Internet routing table is effectively the navigation system of the Internet and without it, traffic would be unable to flow between its constituent networks. Unfortunately, routing equipment alone cannot distinguish between legitimate and malicious routing announcements,...
  • RIPE – Atlas Anchor February 17th, 2022
    We have become an even more integral part of the RIPE Atlas project by hosting an anchor, a device that allows for latency analysis of traffic between autonomous systems.https://atlas.ripe.net/probes/7073/RIPE Atlas anchors play an integral role in the RIPE Atlas network by acting both as enhanced RIPE Atlas probes with more measurement capacity, as well as regional measurement targets within the greater RIPE Atlas network. Anchors are able to perform many more measurements than a regular RIPE Atlas probe, and the large amount of data they collect is made available to everyone. In addition, anchors act as powerful targets that can...
  • MANRS June 20th, 2020
    GOLINE firmly believes in initiatives to protect networks, improve security and resilience of the global routing system. Therefore we decided to support the MANRS project and join as participants.Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats. MANRS offers specific actions via four programs for Network Operators, Internet Exchange Points, CDN and Cloud Providers, and Equipment Vendors. Requirements for Participation Please read the full MANRS Actions document before applying. You can become a participant if you meet these requirements: You (or your company) support...

CSF (Install) – Attack monitoring on cPanel

Paolo Caparrelli cPanel 22 June 2022

# Detect if an attack is in progress…

netstat -plant
– Filtra per IP
netstat -plant |grep -c

– Filtra per utente hosting
ps faux |grep paganico

# Counts connections for IP [ottimo modo per contare le sessioni per IP]
netstat -anp |grep 'tcp|udp' | awk '{print $5}' | sed s/::ffff:// | cut -d: -f1 | sort | uniq -c | sort -n

# Sessions count for IP
netstat -nA inet |awk '/^[ut]/{split($5,a,":");print a[1]}'|sort |uniq -c |sort -n

#To view the total number of connections to a port, run the following command in ssh
netstat -tuna | awk -F':+| +' 'NR>2{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

#To view  the total number of connections from a single ip, run the following command in ssh
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

#Show number of connections by state
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

#Show all IPs connected
netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

#Show number of connections per IP
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n 

#Per installare CSF su cPanel

To install CSF, run the following at the command line as the root user:

#wget http://configserver.com/free/csf.tgz
#tar -xzf csf.tgz
#cd csf & ./install.cpanel.sh

To configure CSF, use WHM's ConfigServer & Firewall interface (Home >> Plugins >> ConfigServer & Firewall).

PORTFLOOD = 80;tcp;100;5,22;tcp;5;300

CT_LIMIT = 50 (25 forse è meglio)
CT_PORTS = 80,443 (non mettere niente per tutte le porte)

 Porte configurate attualmente sui server cPanel

TCP_IN = 20,21,22,25,26,53,80,110,143,443,465,587,783,990,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,30000:50000
TCP_OUT = 20,21,22,25,26,37,43,53,80,111,113,443,465,587,873,990,2049,2077,2078,2079,2080,2089,2195,2703,30000:50000

UDP_IN = 53,161,465,783
UDP_OUT = 53,111,123,161,465,873,2049,20048,30000,33434:33523


Port  Service TCP  UDP  Inbound  Outbound  Notes
1 CPAN X     X The Show Available Modules option in cPanel's Perl Modules interface (cPanel >> Home >> Software >> Perl Modules) uses this port to improve the speed in which it appears.
20 FTP X   X X  
21 FTP X   X X  
22 SSH X   X (X)  
25 SMTP X   X X  
26 SMTP X   X X  
37 rdate X     X  
43 whois X     X  
53 bind X X X X  
80 http X   X X  
110 POP3 X   X    
111 NFS Sun X X   X  
113 ident X     X  
143 IMAP X   X    
443 https X   X X  
579 cPHulk          
783 Apache SpamAssassin X X X    
873 rsync X X   X  
993 IMAP SSL X   X    
995 POP3 SSL X   X    
2049 NFS Sun X     X  
2703 Razor X     X  
2077 WebDAV X   X X  
2078 WebDAV SSL X   X X  
2079 CalDAV and CardDAV X   X X  
2080 CadDAV and CardDAV SSL X   X X  
2082 cPanel X   X    
2083 cPanel SSL X   X    
2086 WHM X   X    
2087 WHM SSL X   X    
2089 cPanel Licensing X     X  
2095 WebMail X   X    
2096 WebMail SSL X   X    
2195 APNs X     X  
3306 MySQL X   (X)    
6277 DCC X X X X  
30000:50000 FTP Passive mode pool  X    
33434:33523 Traceroute pool    X    X  





0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x