Security
Firewall
Advanced
Server firewall rules: allow and block by port/IP
Configure firewall rules on VPS servers with UFW or iptables. Allow SSH, HTTP, HTTPS, and block malicious IPs.
UnderHost NOC
Network Operations
A firewall restricts which ports and IPs can connect to your server. Only expose ports you actively use — everything else should be blocked by default.
UFW (Ubuntu/Debian)
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh # Port 22
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
ufw allow from 203.0.113.10 # Whitelist specific IP
ufw enable
ufw status verbose # View rulesiptables rules
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Block all other incoming
iptables -P INPUT DROPCSF on cPanel/WHM servers
ConfigServer Security & Firewall (CSF) is the standard firewall for cPanel/WHM servers:
- WHM → Plugins → ConfigServer Security & Firewall
- Add IPs to whitelist/blacklist via the web interface
- Block countries with LF_COUNTRY in csf.conf
Best practices
- Change SSH port from 22 to a non-standard port
- Whitelist your own IP before adding SSH restrictions
- Combine firewall with Fail2Ban for automatic IP blocking
- Review open ports periodically:
ss -tlnp
Related: iptables guide | Fail2Ban
Was this article helpful?
Need security-focused hosting?
UnderHost services include DDoS-aware infrastructure, SSL support, account isolation, backups, and security guidance.
