INNOVATECH GROUP
Get Started
Install this app for quick access.
Highly Technical
Published 17 Apr 2026

Securing Your Dedicated Server: Next-Gen Firewall (NGFW) Configuration Rules

15 min Developers
Share

Executive Summary

Dedicated server security relies on a layered firewall approach: a network-level firewall (hardware or cloud provider), a kernel-level firewall (iptables/nftables managed via UFW or CSF), and application-layer protections (Fail2Ban or CSF's Login Failure Daemon). This article covers minimum viable UFW configurations for self-managed Ubuntu servers, ConfigServer Firewall (CSF) and LFD setup on cPanel-managed dedicated servers, brute-force rate limiting via iptables, and whitelist management to prevent lockouts during maintenance.

Firewall configuration is one of the most critical security measures for any dedicated server exposed to the public internet. This guide covers the layered approach to server firewalling, focusing on the two most common tools for dedicated servers in a hosting context: UFW (Uncomplicated Firewall) for self-managed Ubuntu servers and CSF (ConfigServer Firewall) for cPanel-managed dedicated servers.

There is no firewall management interface in the INNOVATECH GROUP portal. All firewall configuration described here is performed directly on the server via SSH or through the WHM/cPanel interface.

Prerequisites

  • Root or sudo SSH access to a dedicated server
  • For UFW sections: Ubuntu server (18.04 LTS or later)
  • For CSF sections: A cPanel/WHM-managed dedicated server with CSF installed
  • A second terminal session or console access available as a safety measure (to avoid locking yourself out)
  • Familiarity with Linux command-line operations and basic networking concepts (ports, protocols, IP addresses)

Understanding the Firewall Layers

Security on a dedicated server is not a single tool — it is a series of layers, each addressing different types of threats:

Layer 1: Network Firewall

The outermost layer, typically managed by the data centre or cloud provider. This may be a hardware firewall appliance or a cloud-level firewall group. Changes to this layer usually require a support ticket to your hosting provider.

Layer 2: Kernel-Level Firewall

The Linux kernel's built-in packet filtering framework. On modern Linux systems, this is nftables (the successor to iptables). UFW and CSF are both management interfaces that generate iptables/nftables rules — they do not replace the kernel-level firewall; they simplify its configuration.

Layer 3: Application-Level Protection

Tools that monitor application logs and dynamically block malicious IPs:

  • Fail2Ban — monitors log files for patterns (failed SSH logins, HTTP auth failures) and creates temporary firewall rules to block offending IPs.
  • CSF/LFD — ConfigServer Firewall includes the Login Failure Daemon (LFD), which provides similar functionality tightly integrated with cPanel services.

Part A: UFW Configuration (Self-Managed Ubuntu Servers)

UFW is the default firewall management tool on Ubuntu. It provides a simple command-line interface for creating iptables rules.

Enable and Configure UFW

Set the default policies and enable the firewall:

# Default: deny all inbound, allow all outbound
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow essential services
sudo ufw allow 22/tcp comment 'SSH'
sudo ufw allow 80/tcp comment 'HTTP'
sudo ufw allow 443/tcp comment 'HTTPS'

# Enable the firewall
sudo ufw enable

Critical safety step: Ensure you have allowed SSH (port 22) before enabling UFW. If you enable UFW without an SSH allow rule, you will be locked out of the server.

Verify the Rules

sudo ufw status verbose

Expected output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                   # SSH
80/tcp                     ALLOW IN    Anywhere                   # HTTP
443/tcp                    ALLOW IN    Anywhere                   # HTTPS

If your team connects from known IP addresses, restrict SSH access to those IPs only:

# Remove the blanket SSH rule
sudo ufw delete allow 22/tcp

# Allow SSH from specific IPs only
sudo ufw allow from 196.xxx.xxx.xxx to any port 22 proto tcp comment 'SSH - Office IP'
sudo ufw allow from 102.xxx.xxx.xxx to any port 22 proto tcp comment 'SSH - Developer VPN'

Replace the IP addresses with your actual IPs. If your IP changes frequently (e.g. residential ISP), consider using a VPN with a static IP as the SSH entry point.

Additional Ports for Specific Services

# MySQL (only if remote database connections are needed)
sudo ufw allow from 10.0.0.0/8 to any port 3306 proto tcp comment 'MySQL - Internal only'

# Redis (internal only)
sudo ufw allow from 127.0.0.1 to any port 6379 proto tcp comment 'Redis - Localhost only'

# Custom application ports
sudo ufw allow 8080/tcp comment 'Application alt port'

UFW Logging

Enable logging to monitor blocked connections:

sudo ufw logging medium

Logs are written to /var/log/ufw.log. Review periodically for unusual patterns:

sudo tail -50 /var/log/ufw.log

Part B: CSF Configuration (cPanel-Managed Dedicated Servers)

ConfigServer Firewall (CSF) is the standard firewall tool for cPanel/WHM environments. It integrates tightly with cPanel services and includes the Login Failure Daemon (LFD) for automatic brute-force protection.

Accessing CSF

Via WHM:

  1. Log in to WHM (typically at https://YOUR_SERVER_IP:2087).
  2. Navigate to PluginsConfigServer Security & Firewall.

Via SSH:

sudo csf -v   # Check CSF version
sudo csf -s   # Show current rules summary

Key Configuration File

The main CSF configuration file is /etc/csf/csf.conf. Key directives:

sudo nano /etc/csf/csf.conf

Essential Directives

TESTING — CSF starts in testing mode by default. In testing mode, rules are automatically flushed after 5 minutes to prevent lockouts. Once you are confident your rules are correct:

TESTING = "0"

TCP_IN / TCP_OUT — Comma-separated list of allowed inbound and outbound TCP ports:

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"

These are typical values for a cPanel server. Add or remove ports based on your specific services.

UDP_IN / UDP_OUT — Similar to TCP, but for UDP:

UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"

After editing, restart CSF:

sudo csf -r

Configuring LFD (Login Failure Daemon)

LFD monitors log files for failed login attempts and automatically blocks offending IPs. Key directives in /etc/csf/csf.conf:

# Block after 5 failed SSH login attempts within 300 seconds
LF_SSHD = "5"
LF_SSHD_PERM = "3600"  # Block for 1 hour (in seconds)

# Block after 10 failed cPanel login attempts
LF_CPANEL = "10"
LF_CPANEL_PERM = "3600"

# Block after 10 failed WHM login attempts
LF_WEBMIN = "10"
LF_WEBMIN_PERM = "3600"

# Global trigger: block IP after this many combined failures
LF_TRIGGER = "20"
LF_TRIGGER_PERM = "3600"

Restart CSF to apply LFD changes:

sudo csf -r

Whitelist Management

Whitelisted IPs are never blocked by CSF or LFD, regardless of failed login attempts. This is essential for your team's IPs and the INNOVATECH GROUP support team's IPs.

Add to whitelist:

Edit /etc/csf/csf.allow:

sudo nano /etc/csf/csf.allow

Add one IP per line with an optional comment:

196.xxx.xxx.xxx # Office IP - your company
102.xxx.xxx.xxx # INNOVATECH support team

Apply the whitelist change:

sudo csf -r

Quick whitelist from command line:

sudo csf -a 196.xxx.xxx.xxx "Office IP - your company"

Remove from whitelist:

sudo csf -ar 196.xxx.xxx.xxx

CSF Testing Mode Safety Net

When first configuring CSF or making significant rule changes:

  1. Set TESTING = "1" in /etc/csf/csf.conf.
  2. Set TESTING_INTERVAL = "5" (rules flush after 5 minutes).
  3. Apply the rules: sudo csf -r.
  4. Verify you can still access the server.
  5. If you are locked out, wait 5 minutes for the automatic flush.
  6. Once confirmed, set TESTING = "0" and restart: sudo csf -r.

Rate-Limiting SSH with iptables (Without CSF)

If your server does not have CSF installed and you want brute-force protection beyond what UFW provides, you can add rate-limiting rules directly with iptables:

# Track SSH connection attempts
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

# Drop connections from IPs with more than 5 attempts in 60 seconds
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name SSH -j DROP

Important: These iptables rules are not persistent by default. On reboot, they will be lost. To make them persistent:

sudo apt install -y iptables-persistent
sudo netfilter-persistent save

If you are using UFW, note that UFW manages iptables rules. Adding manual iptables rules alongside UFW can cause conflicts. Prefer UFW's built-in rate limiting for SSH:

sudo ufw limit 22/tcp comment 'SSH rate limit'

This allows 6 connections within 30 seconds before blocking the IP.

Common Failure Modes

Symptom Likely Cause Action
Locked out of SSH after enabling UFW SSH port not allowed before enabling Use Hetzner Cloud console (or server KVM/IPMI) to access the server and fix rules
CSF blocks your own IP Failed login attempts exceeded LFD threshold Whitelist your IP in /etc/csf/csf.allow or wait for the temporary block to expire
cPanel/WHM inaccessible after CSF changes Ports 2082–2087 not in TCP_IN Access via console/KVM, edit /etc/csf/csf.conf, add ports, restart CSF
UFW rules not taking effect UFW not enabled, or conflicting iptables rules from another tool Run sudo ufw status to verify; check for Docker or fail2ban rule conflicts
Website unreachable after firewall changes Port 80/443 not allowed Verify with sudo ufw status or sudo csf -s

Security Considerations

  • No single firewall rule set is universally sufficient. Security requires a layered approach: network firewall, kernel-level firewall, application-level protections, regular software updates, and security auditing.
  • Keep a second terminal session open when making firewall changes. If you lock yourself out in one session, the other remains connected.
  • Regularly audit your firewall rules. Remove rules for services you no longer run. Review the whitelist for IPs that are no longer relevant.
  • Do not disable the firewall for debugging and forget to re-enable it. If you need to temporarily bypass the firewall, add a specific allow rule for your IP instead.
  • Combine firewall rules with software updates. A firewall does not protect against vulnerabilities in the services you expose. Keep Nginx, PHP, MySQL, and your application framework up to date.

When to Contact INNOVATECH GROUP Support

Open a support ticket if:

  • You need changes to the hardware or network-level firewall managed by the data centre — these are above the kernel-level firewall and require provider intervention
  • You are experiencing a DDoS or volumetric attack that overwhelms your server-level firewall — this requires upstream mitigation at the network level
  • Your CSF or UFW rule changes have broken WHM or cPanel access and you cannot recover via the server console
  • You need INNOVATECH GROUP's team to review your firewall configuration as part of a managed security service (this is typically a managed-service add-on)
  • You are unsure whether your dedicated server plan includes managed firewall administration by the INNOVATECH GROUP team

Was this helpful?

Let us know if this article answered your question.

Related Articles

When Should Your Business Upgrade from Cloud to a Dedicated Server?
Beginner

Need Assistance?

Our support team is ready to help you with any questions.

Open a Support Ticket

We use cookies to keep you signed in and remember your preferences. By continuing, you agree to our Privacy policy.