Securing your cPanel hosting environment with a well-configured firewall is one of the most important steps to protect your server and website from unauthorized access, malicious traffic, and automated attacks. A firewall works as a protective layer between your server and the internet, allowing only trusted traffic to reach your services.

In this article, we’ll walk you through how to set up a firewall for your cPanel hosting, using proven tools and best practices to keep your server secure.

Why a Firewall Matters for cPanel Hosting

cPanel offers a user-friendly interface to manage hosting tasks, but like any publicly accessible system, it’s a potential target for:

  • Brute-force attacks on cPanel, SSH, or email accounts
  • Unauthorized login attempts
  • DDoS (Distributed Denial of Service) attacks
  • Exploits targeting open ports and services
  • Malicious bots and scanners

Implementing a firewall allows you to block harmful traffic, restrict access to sensitive ports, and monitor suspicious activity — all essential for a secure hosting setup.

Step 1: Installing a Firewall on Your Server

For cPanel hosting on VPS or dedicated servers from AVA.hosting, we recommend using CSF (ConfigServer Security & Firewall) — one of the most reliable firewall solutions tailored for cPanel/WHM environments.

 How to Install CSF

  1. Connect to your server via SSH
    Use an SSH client (e.g., PuTTY) and log in as root:
ssh root@your-server-ip
  1. Download and install CSF:
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
  1. Verify installation:
csf -v

Once installed, CSF integrates directly into WHM for easy configuration.

Step 2: Configure CSF via WHM

Access CSF in WHM

Log into WHM → Search for “ConfigServer Security & Firewall” in the left-hand menu and open the plugin.

 Key Configuration Steps:

  • Allow/Block IPs: Add trusted IPs to the allowlist and block known malicious ones.
  • Manage Ports: Define which ports stay open (e.g., 80, 443, 22). Close unused ports for extra safety.
  • Enable Alerts: Receive notifications about suspicious login attempts, port scans, or excessive resource usage.

Before fully enabling the firewall, CSF runs in test mode to avoid accidental lockouts.

To activate the firewall:

csf -e      # Enable firewall in test mode

After testing and verifying your settings, exit test mode:

csf -x      # Disable test mode and apply active rules

Step 3: Use Additional Security Features

 LFD (Login Failure Daemon)

LFD, included with CSF, helps detect repeated failed login attempts and automatically blocks those IPs — protecting against brute-force attacks on SSH, cPanel, and email.

 Country-Level Blocking

If your audience is limited to specific regions, you can restrict access from high-risk countries using GeoIP filters in CSF.

To block countries:

  • Edit the CSF config file: /etc/csf/csf.conf
  • Find CC_DENY and enter the country codes (e.g., RU,CN,IR)

 Connection Tracking

Limit the number of simultaneous connections from a single IP to mitigate basic DDoS attempts.

  • In the CSF config, look for CT_LIMIT and define the maximum allowed connections.
  • Example: CT_LIMIT = “100”

Step 4: Monitor and Maintain Your Firewall

Once configured, it’s important to monitor firewall activity regularly to ensure your server stays protected.

 View Logs

Use this command to view real-time logs:
tail -f /var/log/lfd.log

 Keep Rules and Software Updated

  • Open new ports or allow new IPs as needed
  • Remove unused rules to keep the firewall clean
  • Keep CSF up to date:
csf -u

Final Thoughts

Configuring a firewall is a fundamental part of securing your cPanel hosting. Tools like CSF make it easier to manage traffic, block threats, and stay in control of your server’s exposure.

Combined with strong passwords, regular updates, and smart access policies, a well-configured firewall gives you confidence that your online assets are safe.