Skip to content

Web Panel Compatibility

Jump to bottom
Antonios Voulvoulis edited this page Apr 26, 2026 · 7 revisions

Web Panel Compatibility

NFTBan integration with web hosting control panels -- auto-detection, firewall rules, and management.

Table of Contents

Overview

NFTBan provides native integration with popular web hosting control panels. When installed on a server with a control panel, NFTBan:

  1. Auto-detects the installed panel during installation
  2. Auto-enables required firewall ports for panel operation
  3. Isolates its nftables rules from panel-managed firewall rules
  4. Monitors panel login attempts for brute-force protection

NFTBan operates at the network layer using native nftables, while panels operate at the application layer. This design prevents conflicts and ensures both systems work together.

Supported Panels

Panel Detection Path Panel Ports Support Level
cPanel/WHM /usr/local/cpanel 2082, 2083, 2086, 2087, 2095, 2096 Full
Plesk /usr/local/psa 8443, 8447, 8880 Full
DirectAdmin /usr/local/directadmin 2222 Full
CentOS Web Panel (CWP) /usr/local/cwpsrv 2030, 2031 Standard
CyberPanel /usr/local/CyberCP 7080, 8090 Standard
InterWorx /usr/local/interworx 2080, 2443 Standard
VestaCP/HestiaCP /usr/local/vesta 8083 Standard

Support Levels:

  • Full: Comprehensive integration with enable/disable/status/report/repair/test commands
  • Standard: Basic port management with enable/disable/status commands

Auto-Detection Mechanism

During installation, NFTBan automatically detects installed panels by checking for their installation directories.

Detection Logic

The install script (install.sh) performs detection as follows:

# Detection checks from install.sh (lines 2845-2873)

# Detect cPanel
if [[ -d "/usr/local/cpanel" ]]; then
    DETECTED_PANEL="cpanel"
fi

# Detect DirectAdmin
if [[ -d "/usr/local/directadmin" ]]; then
    DETECTED_PANEL="directadmin"
fi

# Detect Plesk
if [[ -d "/usr/local/psa" ]]; then
    DETECTED_PANEL="plesk"
fi

# Detect CWP
if [[ -d "/usr/local/cwpsrv" ]]; then
    DETECTED_PANEL="cwp"
fi

# Detect CyberPanel
if [[ -d "/usr/local/CyberCP" ]]; then
    DETECTED_PANEL="cyberpanel"
fi

Auto-Enable Behavior

When a panel is detected:

  1. The panel is marked as enabled in /var/lib/nftban/panels/enabled.conf
  2. Panel-specific ports are loaded during nftban-core sync
  3. The panel name is shown in the installation summary

State File

Panel state is stored in:

/var/lib/nftban/panels/enabled.conf

Format:

# NFTBan Panel State Configuration
# Format: panelname=enabled|disabled
cpanel=enabled

Panel Commands

NFTBan provides a unified panel command for managing all supported panels.

Usage

nftban panel <panel_name> <action>

Supported Actions

Action Description
enable Enable panel ports in firewall
disable Disable panel ports in firewall
status Show panel configuration status
report Generate diagnostic report (Full support panels)
repair Fix configuration issues (Full support panels)
test Test panel connectivity (Full support panels)

Panel Name Aliases

Panel Accepted Names
cPanel/WHM cpanel, cp, cPanel, CPANEL
Plesk plesk, Plesk, PLESK, psa
DirectAdmin directadmin, da, DA, DirectAdmin
CWP cwp, CWP, centos-web-panel
CyberPanel cyberpanel, CyberPanel, cyber
InterWorx interworx, InterWorx, iworx
VestaCP vesta, vestacp, hestia, hestiacp

Examples

# Enable cPanel ports
nftban panel cpanel enable

# Check DirectAdmin status
nftban panel directadmin status

# Run Plesk connectivity tests
nftban panel plesk test

# Generate cPanel diagnostic report
nftban panel cpanel report

# Repair DirectAdmin configuration
nftban panel directadmin repair

Panel-Specific Configuration

cPanel/WHM

Configuration File: /etc/nftban/conf.d/panels/cpanel/main.conf

Detection Path: /usr/local/cpanel

Key Ports

Port Service
2082 cPanel HTTP
2083 cPanel HTTPS
2086 WHM HTTP
2087 WHM HTTPS
2095 Webmail HTTP
2096 Webmail HTTPS
2077-2080 CalDAV/WebDAV
8443 WebSocket

Port Configuration

# From /etc/nftban/conf.d/panels/cpanel/main.conf

# TCP INPUT
NFTBAN_CPANEL_TCP_IN="20,21,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,8443"

# TCP OUTPUT
NFTBAN_CPANEL_TCP_OUT="20,21,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"

# UDP INPUT
NFTBAN_CPANEL_UDP_IN="20,21,53,80,443"

# UDP OUTPUT
NFTBAN_CPANEL_UDP_OUT="20,21,53,113,123,873,6277,24441"

cPHulk Coexistence

cPanel's cPHulk brute force protection operates at the application layer using internal databases. NFTBan operates at the network layer. Both can run simultaneously without conflict.

However, running both may cause:

  • Duplicate ban decisions for the same IP
  • Inconsistent ban durations

Recommendations:

# Option 1: Disable cPHulk (let NFTBan handle protection)
whmapi1 configureservice service=cphulkd enabled=0

# Option 2: Disable NFTBan login monitoring (let cPHulk handle protection)
nftban login disable

xtables Compatibility

cPanel writes iptables REDIRECT rules for mail routing. These are translated to nftables but use xtables compatibility expressions that native nftables cannot load.

NFTBan automatically:

  1. Detects xtables compat expressions during installation
  2. Backs up original config to /var/backups/nftban/firewall-migration/
  3. Removes incompatible xt target/xt match lines
  4. Allows cPanel mail routing to continue via iptables-nft

See the cPanel section below for detailed technical information.

License Server Whitelist

cPanel licensing requires access to cPanel verification servers. Configure in main.conf:

# Auto-enable cPanel license server whitelist? (YES|NO|ASK)
NFTBAN_CPANEL_AUTO_LICENSE_WHITELIST="ASK"

Plesk

Configuration File: /etc/nftban/conf.d/panels/plesk/main.conf

Detection Path: /usr/local/psa

Key Ports

Port Service
8443 Plesk HTTPS (main panel)
8447 Plesk Update Manager
8880 Plesk HTTP (redirects to HTTPS)

Port Configuration

# From /etc/nftban/conf.d/panels/plesk/main.conf

# TCP INPUT
NFTBAN_PLESK_TCP_IN="20,21,25,53,80,110,143,443,465,587,993,995,8443,8880"

# TCP OUTPUT
NFTBAN_PLESK_TCP_OUT="20,21,25,53,80,110,113,443,587,993,995,8443"

# UDP INPUT
NFTBAN_PLESK_UDP_IN="53,443"

# UDP OUTPUT
NFTBAN_PLESK_UDP_OUT="53,123,443"

Log Files

LOGIN_SERVICE_PLESK_LOG="/var/log/plesk/panel.log"
LOGIN_SERVICE_PLESK_ERROR="/var/log/sw-cp-server/error_log"
LOGIN_SERVICE_PLESK_ACCESS="/var/log/plesk/httpsd_access_log"

Commands

# Enable Plesk ports
nftban panel plesk enable

# Check Plesk configuration
nftban panel plesk status

# Test Plesk connectivity
nftban panel plesk test

# View diagnostic report
nftban panel plesk report

DirectAdmin

Configuration File: /etc/nftban/conf.d/panels/directadmin/main.conf

Detection Path: /usr/local/directadmin

Key Ports

Port Service
2222 DirectAdmin Panel
35000-35999 Passive FTP range

Port Configuration

# From /etc/nftban/conf.d/panels/directadmin/main.conf

# TCP INPUT
NFTBAN_DIRECTADMIN_TCP_IN="20,21,25,53,853,80,110,143,443,465,587,993,995,2222,35000-35999"

# TCP OUTPUT
NFTBAN_DIRECTADMIN_TCP_OUT="20,21,25,53,853,80,110,113,143,443,465,587,993,995,2222"

# UDP INPUT
NFTBAN_DIRECTADMIN_UDP_IN="20,21,53,853,80,443"

# UDP OUTPUT
NFTBAN_DIRECTADMIN_UDP_OUT="20,21,53,853,113,123,443"

CloudFlare Requirement

DirectAdmin licensing servers are behind CloudFlare CDN. You MUST whitelist CloudFlare IP ranges for licensing to work.

# Enable CloudFlare whitelist
nftban trust enable CLOUDFLARE
nftban trust update

Configure auto-enable in main.conf:

# Auto-enable CloudFlare whitelist? (YES|NO|ASK)
NFTBAN_DIRECTADMIN_AUTO_CLOUDFLARE="ASK"

Log Files

LOGIN_SERVICE_DIRECTADMIN_LOG="/var/log/directadmin/login.log"
LOGIN_SERVICE_DIRECTADMIN_ERROR="/var/log/directadmin/errortaskq.log"

Other Panels

CentOS Web Panel (CWP)

Configuration File: /etc/nftban/conf.d/panels/cwp/main.conf

Port Service
2030 CWP Admin HTTP
2031 CWP Admin HTTPS
2082 User Panel HTTP
2083 User Panel HTTPS 
nftban panel cwp enable
nftban panel cwp status

CyberPanel

Configuration File: /etc/nftban/conf.d/panels/cyberpanel/main.conf

Port Service
7080 OpenLiteSpeed Admin
8090 CyberPanel Admin 
nftban panel cyberpanel enable
nftban panel cyberpanel status

InterWorx

Configuration File: /etc/nftban/conf.d/panels/interworx/main.conf

Port Service
2080 SiteWorx (User) HTTP
2443 NodeWorx (Admin) HTTPS 
nftban panel interworx enable
nftban panel interworx status

VestaCP / HestiaCP

Configuration File: /etc/nftban/conf.d/panels/vesta/main.conf

Port Service
8083 VestaCP/HestiaCP Admin 
nftban panel vesta enable
nftban panel vesta status

Firewall Integration

Port Management

NFTBan manages panel ports separately from other firewall rules:

  1. Safety Port (SSH): Always managed in /etc/nftban/ports.d/00-ssh.conf - never included in panel configs to prevent lockout
  2. Panel Ports: Defined in /etc/nftban/conf.d/panels/<panel>/main.conf
  3. Custom Ports: User additions via NFTBAN_<PANEL>_CUSTOM_TCP_IN variables

Adding Custom Ports

Edit the panel's main.conf file:

# Example: Add MySQL and PostgreSQL
NFTBAN_CPANEL_CUSTOM_TCP_IN="3306,5432"

Then sync:

nftban-core sync

nftables Isolation

NFTBan uses its own nftables tables (table ip nftban and table ip6 nftban) which are completely isolated from any panel-managed firewall rules.

                     Linux Netfilter (Kernel)
┌─────────────────────────────────────────────────────────────────┐
│                                                                 │
│  ┌─────────────────────┐      ┌─────────────────────────────┐  │
│  │   nftables native   │      │      iptables-nft           │  │
│  │   (NFTBan rules)    │      │   (Panel mail routing)      │  │
│  │                     │      │                             │  │
│  │  table ip nftban    │      │  Translates iptables ->     │  │
│  │  table ip6 nftban   │      │  nftables at runtime        │  │
│  │  {                  │      │                             │  │
│  │    chain input ...  │      │  REDIRECT rules work here   │  │
│  │  }                  │      │                             │  │
│  └─────────────────────┘      └─────────────────────────────┘  │
│                                                                 │
│  Both operate in parallel - no conflict                         │
└─────────────────────────────────────────────────────────────────┘

xtables Compatibility

When nftables.service fails with:

Error: unsupported xtables compat expression

This is caused by iptables REDIRECT rules (commonly from cPanel mail routing) being translated to nftables with xtables compatibility expressions.

NFTBan Solution:

  1. Detects xtables compat expressions during installation
  2. Backs up original config
  3. Removes incompatible lines
  4. Panel mail routing continues via iptables-nft at runtime

Skip if needed:

./install.sh --skip-xtables-fix
# or
NFTBAN_SKIP_XTABLES_FIX=1 ./install.sh

Panel Service Accounts

NFTBan provides a secure integration model for hosting panels using dedicated service accounts and the nftban-panel group.

Security Model

Panel UI → nftban-panelctl wrapper → Polkit checks → systemctl reload

Layers:

  1. Unix group membership — Service account must be in nftban-panel group
  2. Polkit authorization30-nftban-panel.rules grants limited systemd access
  3. nftban-panelctl wrapper — Validates commands against registry RBAC (panel_expose=true)

Service Accounts

Panel Account Name Group
DirectAdmin nftban-da nftban-panel
cPanel/WHM nftban-cp nftban-panel
Plesk nftban-pl nftban-panel
Webmin nftban-wm nftban-panel

Creating Service Accounts

# DirectAdmin
sudo useradd -r -s /sbin/nologin -c "DirectAdmin NFTBan Integration" nftban-da
sudo usermod -aG nftban-panel nftban-da

# cPanel/WHM
sudo useradd -r -s /sbin/nologin -c "cPanel NFTBan Integration" nftban-cp
sudo usermod -aG nftban-panel nftban-cp

Allowed Operations

Panel service accounts can:

  • Query service status (systemctl status nftban-core.service)
  • Reload services (systemctl reload nftban-core.service)
  • Run read-only CLI commands via nftban-panelctl (status, health, list, stats)

Panel service accounts cannot:

  • Start/stop/restart services
  • Enable/disable services
  • Modify configuration
  • Ban/unban IPs directly (must use wrapper)

For the full permission matrix, see Security Architecture - Permission Matrix.

Login Monitoring

NFTBan monitors panel login attempts using the nftban-login-monitor daemon.

Detection Patterns

The panel detector (pkg/loginmon/detector/panel.go) uses signal-based detection:

Panel Log Pattern
DirectAdmin FAILED LOGIN ... IP=<ip>
cPanel FAILED LOGIN ... ip=<ip> or failed/invalid/blocked ... from <ip>
Plesk Authentication failed ... from <ip>

Log File Locations

Panel Log Path
cPanel /usr/local/cpanel/logs/login_log
Plesk /var/log/plesk/panel.log
DirectAdmin /var/log/directadmin/login.log
CWP /usr/local/cwpsrv/logs/access_log
CyberPanel /usr/local/CyberCP/logs/access.log
InterWorx /var/log/interworx/iworx.log
VestaCP /var/log/vesta/auth.log

Score System

Failed panel login attempts add to the IP's threat score:

// From panel.go
ScoreDelta: 20  // Each failed login adds 20 points

When the score threshold is reached, the IP is banned.

Configuration Files

Directory Structure

/etc/nftban/
├── conf.d/
│   └── panels/
│       ├── cpanel/
│       │   └── main.conf
│       ├── plesk/
│       │   └── main.conf
│       ├── directadmin/
│       │   └── main.conf
│       ├── cwp/
│       │   └── main.conf
│       ├── cyberpanel/
│       │   └── main.conf
│       ├── interworx/
│       │   └── main.conf
│       └── vesta/
│           └── main.conf
└── ports.d/
    └── 00-ssh.conf          # SSH safety port (always separate)

/var/lib/nftban/
└── panels/
    └── enabled.conf         # Panel state file

Configuration Variables

Each panel config follows a consistent naming pattern:

# Installation path
NFTBAN_<PANEL>_PATH="/usr/local/<panel>"

# Panel ports
NFTBAN_<PANEL>_PANEL_PORT="<port>"
NFTBAN_<PANEL>_PANEL_SSL_PORT="<port>"

# Firewall ports
NFTBAN_<PANEL>_TCP_IN="<ports>"
NFTBAN_<PANEL>_TCP_OUT="<ports>"
NFTBAN_<PANEL>_UDP_IN="<ports>"
NFTBAN_<PANEL>_UDP_OUT="<ports>"

# Custom additions
NFTBAN_<PANEL>_CUSTOM_TCP_IN=""
NFTBAN_<PANEL>_CUSTOM_TCP_OUT=""

# Login monitoring
LOGIN_SERVICE_<PANEL>_LOG="<path>"

Troubleshooting

Panel Ports Not Open

Symptoms: Cannot access panel web interface

Check status:

nftban panel cpanel status

Fix:

nftban panel cpanel enable
nftban-core sync

Panel Detection Failed

Symptoms: Panel not auto-detected during install

Manual enable:

# Write state file manually
echo "cpanel=enabled" > /var/lib/nftban/panels/enabled.conf
nftban-core sync

Licensing Failures

cPanel: Ensure license server access:

nftban panel cpanel enable  # Follow prompts for license whitelist

DirectAdmin: Enable CloudFlare whitelist:

nftban trust enable CLOUDFLARE
nftban trust update

nftables.service Fails

Symptoms:

Error: unsupported xtables compat expression

Fix:

# Re-run xtables fix
nftban health repair

# Or restore backup and retry install
cp /var/backups/nftban/firewall-migration/*/nftables.conf.backup \
   /etc/sysconfig/nftables.conf

Port Conflicts

Symptoms: Port already in use error

Check listening ports:

ss -tlnp | grep :<port>

Check firewall rules:

nft list ruleset | grep <port>

Run Diagnostic

For full-support panels, use the report command:

nftban panel cpanel report
nftban panel directadmin report
nftban panel plesk report

This shows:

  • Installation status
  • Port configuration
  • Firewall status
  • Recommendations

Run Tests

nftban panel cpanel test

Tests verify:

  • Panel ports listening
  • Firewall rules active
  • Web server ports open
  • Mail server ports open

Related Documentation

NFTBan Wiki

Getting Started

Architecture

Modules

Operator Reference

Verification & Trust

Reference

Legal

Clone this wiki locally