I don't know how you would do on the server, but I use iptables. I set all ports to not allow incoming or outgoing traffic. Then I research which ports I'll actually use and allow incoming and outgoing traffic. Otherwise, all other connections are denied. Each host has their own set up, so you would need to find out what your host is using. I know the email here, from what I have read, is in the 2k like 2600. I'm not sure though. I don't know where, but somewhere in these forums I found a post with a list of all of the ports KH uses and why.
Yes, that is the list of functions you need to block PHP from using. However, if you need one for ImageMagick, you don't have to list it. You will take a risk that you may get attacked that way. In fact, the last time I helped repair a site that had been hacked, it was a javascript insertion but started in php by using eval() to insert the script into all index.php files within 2 subdirectories of public_html. Took about 3 hours to clean the entire site and check all 5k pages. I would say if you need ImageMagick and not just GD, then you can take the risk if you feel you need it.
As for the firewall, I found a good post in the General Linux forum. As I can't post the link yet, I will quote.
KH Paul said:
Ed,
I would suggest not to use firewall management in the Power Panel - this is one of the ugliest things done by Parallels - firewall management in the Power Panel delivers extremely basic functionality and is very limited in what can be done there. I would suggest to use iptables directly if you have knowledge of iptables rules/config syntax or install CSF to build iptables rules based on few easy to define options. Also, if you use cPanel or DirectAdmin CSF can be managed right through the web based control panel.
Iptables rules defined on the backend won't show up in the Power Panel. And any kind of firewall changes made in the Power Panel will completely wipe out any iptables rules defined on the backend.
If I find the post with all the ports KH uses, assuming it is still true, I will quote it also.
Edit: Ok, I found it. It doesn't have everything, like pop3/imap/smtp ports but it gives a good deal of info.
As I can't quote or post a link to it, go to CPanel HOWTOs and Tutorials and then the thread KnownHost Cpanel logins and ports.
I would suggest doing a search for security in the forums. I found a number of good posts while researching in the forum. Some are years old, but give a good idea of what needs to be done.