Protect Your cPanel Server
from DDoS Attacks

Back to Blog

Why Shared Hosting Servers Are Targets

Shared hosting servers are attractive DDoS targets for a few reasons:

• Collateral damage: An attacker targeting one site on a shared server takes down every other site on that server. This makes the attack more impactful per dollar spent.
• Low-value targets: Small sites on shared hosting often have enemies (competitors, disgruntled users, extortionists) but lack dedicated DDoS protection.
• Predictable infrastructure: cPanel servers run on well-known ports (80, 443, 2082, 2083, 2086, 2087) and are easy to fingerprint.
• Limited mitigation: Most shared hosting providers rely on upstream null-routing, which takes the entire server offline rather than surgically blocking the attack.

The typical incident goes like this: a customer's site gets hit with a UDP flood. The server's network link saturates. Every site on the server goes offline. The hosting provider gets tickets from 50 customers. Someone at the data center null-routes the IP. The attack stops, but so does all legitimate traffic. Hours later, the null-route expires, traffic comes back, and everyone hopes it does not happen again.

There is a better way.

Installing Flowtriq on a cPanel Server

Because ftagent installs directly on the cPanel server (no external server needed), you get sub-second detection, PCAP capture, and automated on-server firewall rules. This is the most capable deployment mode Flowtriq offers.

Step 1: Sign up and get your deploy token

Create a Flowtriq account at flowtriq.com/signup. The 14-day free trial includes all features. Grab your deploy token from the dashboard under Settings > API.

Step 2: Install ftagent

SSH into your WHM server as root and run:

curl -sL https://get.flowtriq.com | sudo bash

The installer detects your OS (CentOS, CloudLinux, AlmaLinux, Rocky Linux, Ubuntu, Debian), installs ftagent as a systemd service, and prompts for your deploy token. The whole process takes about 2 minutes.

Alternatively, install via pip:

pip install ftagent
sudo ftagent --setup

Step 3: Verify

sudo ftagent --status

You should see traffic metrics appearing immediately. In the Flowtriq dashboard, your node shows up with real-time PPS, bandwidth, and protocol breakdown.

That is the entire installation. No configuration changes in WHM, no Apache or Nginx modifications, no firewall rule changes. ftagent reads kernel-level network counters and operates independently of your web stack.

What It Detects

Because ftagent runs directly on the server, it has full visibility into all traffic hitting the machine. It detects:

• SYN floods: Hundreds of thousands of SYN packets per second targeting port 80/443
• UDP amplification: DNS, NTP, memcached, CLDAP, and SSDP reflection attacks
• HTTP floods: Layer 7 floods that open legitimate-looking connections
• ICMP floods: Ping floods and ICMP-based resource exhaustion
• Slowloris: Slow-rate connection exhaustion attacks
• Port scanning: Reconnaissance scans across your server's port range

Each attack is classified with a confidence score, target IP, traffic volume, and packet characteristics. If your server uses dedicated IPs per cPanel account, Flowtriq identifies exactly which account is being targeted.

Automated Mitigation

When an attack is detected, ftagent can automatically deploy firewall rules on your cPanel server:

• iptables/nftables rules: Surgical rules that drop traffic matching the attack signature (specific protocol, source port, packet size patterns) without affecting legitimate web traffic
• BGP FlowSpec: If you have a BGP speaker, trigger upstream filtering automatically
• RTBH: Remote triggered blackhole routing for severe volumetric attacks
• Cloud scrubbing: Auto-divert via Cloudflare, OVH, or Hetzner APIs

The on-server firewall rules are the first line of defense. ftagent manages its own iptables chain and does not touch rules created by CSF (ConfigServer Firewall) or any other firewall tool. When the attack ends, ftagent removes its temporary rules automatically.

Compatibility with CSF

Many cPanel servers run CSF for brute-force protection and basic firewall management. ftagent and CSF coexist without conflict:

• ftagent uses its own iptables chain (FTAGENT), separate from CSF's chains
• ftagent never modifies CSF rules, allow lists, or deny lists
• During an attack, ftagent inserts rules in its chain; CSF continues operating normally
• When the attack ends, ftagent removes its rules; CSF is unaffected

CSF handles login brute-force protection. Flowtriq handles volumetric DDoS detection. They solve different problems and work well together.

How This Helps Hosting Providers Retain Customers

Hosting customers leave after unresolved downtime. When a DDoS attack takes down their site and the response is "we null-routed your IP, it should be back in a few hours," that customer starts looking at competitors.

With Flowtriq on your cPanel servers, you can:

• Detect attacks in under 1 second instead of waiting for customer complaints
• Tell customers exactly what happened: "Your IP received a 2.1 Gbps UDP amplification flood via DNS reflection. We detected it in 0.8 seconds and deployed iptables rules to drop the attack traffic. Your site stayed online."
• Show attack history with timestamps, classification, and traffic charts
• Offer DDoS protection as a feature in your hosting packages

The difference between "the server went down and we are not sure why" and "we detected and mitigated a DDoS attack automatically" is the difference between a lost customer and a loyal one.

Back to Blog

Related Articles