One of the most popular software firewall options for cPanel servers is the ConfigServer Security & Firewall (CSF). In late 2019, a number of web server administrators began noticing that previously filtered ports like SSH, MySQL and others, would inexplicably become open to all.
As you can imagine, from a security standpoint randomly opening ports is a very bad thing. The randomness and difficulty in duplicating this CSF bug made the situation all the more frustrating.
This past week, server support staff at TVCNet with the help of HackRepair.com (yours truly), dug further into this reported bug after I had noticed a port that would normally be closed from public access was open and accessible. Below is a snippet of the support email from TVCNet submitted to cPanel:
“Hi,
I wanted to bring this up, as it has personally been driving myself and my coworkers insane for the last year or so, and I’m finally getting some true information about it.
I see this recommended knowledge base article when writing this, and it still refers to this CPANEL-29051 which is listed as fixed in WHM 90 release notes.
https://support.cpanel.net/hc/en-us/articles/360045152533-cP-Firewall-1-INPUT-is-added-to-Iptables-when-performing-modifyacct-API-calls (cPanel Login Required)
Fixed case CPANEL-29051: Add modify_firewall as an optional param to the modifyacct API call.
The above doesn’t appear to have anything to do with this actual issue with account modifications and the like creating this chain cP-Firewall-1-INPUT that opens up everything from SSH to MySQL to the world.”
The support ticket goes on to explain to cPanel technicians that when using cPanel and the Configserver Security & Firewall or CSF under certain account modification events, cPanel will unwittingly create a new iptables chain called “cP-Firewall-1-INPUT” and cause filtered ports to be re-opened, including SSH, MySQL, and other potentially vulnerable services.
Following a lengthy review and demonstration by staff at TVCNet, cPanel staff were finally able to duplicate the bug, resulting in a new cPanel bug ticket, 33772. Below is the final response from cPanel to TVCNet:
Greetings again,
Thank you for your patience.
As a final update, I have published the following article cP-Firewall-1-INPUT rules can re-open filtered ports when using CSF (cPanel Login Required) with a brief summary of this issue as well as submitted the requested outcome of being able to specify which ports cPanel adds via something similar to Tweak Settings. I recommend following this article for any changes that may be made as a result to this case. Please let us know if we can be of further assistance or if you have any additional questions that we may be able to address
Conclusion?
Now that cPanel has a full understanding of this particularly nasty cPanel with CSF bug, this ongoing problem with some cPanel Firewall setups will be corrected within the next week or so thanks to to the diligence of staff at TVCNet in running this bug to the ground.