First lets install UFW

$ sudo apt-get install ufw

Check the Status

$ sudo ufw status verbose

By default, UFW is disabled so you should see something like this:

$ Status: inactive

Let’s set your UFW rules back to the defaults so we can be sure that you’ll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:

$ sudo ufw default deny incoming

Output:
Default incoming policy changed to ‘deny’
(be sure to update your rules accordingly)

$ sudo ufw default allow outgoing

Output:
Default outgoing policy changed to ‘allow’
(be sure to update your rules accordingly)

Allow SSH Connections

To configure your server to allow incoming SSH connections, you can use this UFW command:

$ sudo ufw allow ssh

Output:
Rules updated
Rules updated (v6)
this command works the same as the one above:

$ sudo ufw allow 22

Or if ssh is on a different port

$ sudo ufw allow 2222

Now that your firewall is configured to allow incoming SSH connections, we can enable it

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Now lets add the port access for IPFS
4001 – default libp2p swarm port – should be open to public for all nodes if possible
5001 – API port – provides write/admin access to the node – should be locked down or only to your IP.
8080 – Gateway

$ sudo ufw allow 4001
$ sudo ufw allow 5001
$ sudo ufw allow 8080/tcp

Reload

$ sudo ufw reload

Remove a Port

$ sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere
[ 2] 4001                       ALLOW IN    Anywhere
[ 3] 5001                       ALLOW IN    Anywhere
[ 4] 8080/tcp                   ALLOW IN    Anywhere
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 4001 (v6)                  ALLOW IN    Anywhere (v6)
[ 7] 5001 (v6)                  ALLOW IN    Anywhere (v6)
[ 8] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)

$ sudo ufw delete 2

Delete all firewall rules

$ sudo ufw reset

To Allow connections for the Webui on a specific IP:

$ sudo ufw allow from 1.2.3.4 to any port 5001
sudo ufw reload

By default the port 80 for http connection is filtered on Redhat 7 as you can only access this port from the actual localhost and not from any other public host. To open a port 80 on RHEL 7 Linux we need to add an iptables rule. For this RHEL7 uses firewall-cmd. First add your port 80 rule with a following command:

# firewall-cmd --permanent --zone=public --add-port=80/tcp --permanent

Once you add the above firewall rule reload firewall service:


# firewall-cmd --reload


# firewall-cmd --permanent --zone=<zone> --add-service=http


# firewall-cmd --permanent --zone=<zone> --add-port=80/tcp

You can check if the port has actually be opened by running:


# firewall-cmd --zone=<zone> --query-port=80/tcp


# firewall-cmd --zone=<zone> --query-service=http

Login as the root user to SSH and run the following commands to install CSF:

wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

If you would like to disable APF+BFD (which you will need to do to avoid conflicts):

sh disable_apf_bfd.sh

Now, you can then configure csf and lfd in WHM, or edit the files directly in /etc/csf/*

To Configure the CSF Firewall

Go to the Home of your WHM dashboard and select the Plugins option from the navigation menu.

You will see the option ConfigServer Security & Firewall. Click on it.

Here, you will find a variety of options to configure the ConfigServer Security & Firewall application.

Click on the csf tab.

Scroll down a little to the csf – ConfigServer Firewall section and click on the Firewall Configuration button.

Configure as needed.

Disable Testing
Currently, your CSF application is running in the Test Mode. You have to deactivate the mode.

Reaccess the csf – ConfigServer Firewall section and click the Firewall Configuration button.
Locate the TESTING option in the Initial Settings section.
Click on the Off switch.

To stop Spam:

drop SMTP on port 25, 465 and 587 to prevent further spam from being sent out by running the following commands:


# /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP
# /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 465 -j DROP
# /sbin/iptables -A INPUT -p tcp --dport 587 -j DROP
# /sbin/iptables -A OUTPUT -p tcp --dport 587 -j DROP

Restart:

# service iptables restart

Block an IP accessing the site:

# iptables -A INPUT -s 80.35.xx.xxx -j DROP

Restart:

# service iptables restart

After that – check the cpnael access logs for the domain and see that there is a 403 Error:

# tail -f /usr/local/apache/domlogs/gamedayboston.com

80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
80.82.xx.xx - - [07/Oct/2014:17:13:46 -0400] "POST /xmlrpc.php HTTP/1.0" 403 - "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

How to add an IP to access the plesk panel and ssh

Open flle /etc/sysconfig/iptables:


# nano /etc/sysconfig/iptables
-A INPUT -s 72.177.xxx.xxx/32 -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -s 66.226.xx.xx/32 -p tcp -m tcp --dport 10222 -j ACCEPT

Save and restart iptables


service iptables restart