To be honest, I haven't used PowerPanel, so I don't know how to deselect from using its firewall settings. I am sure one of the KnownHost support team could tell you how to keep from using it. On my Linux system at home, using Ubuntu, I have a simple GUI to manipulate the iptables. I am assuming, but not positive, that is what the CPanel controls would do. I assume from the quote I posted that if you edit the iptables via SSH, it will stay but not show up on PowerPanel. Again, I would make sure with them.
As for what I would do if I suspected, or did get shut down, due to a DOS attack: 1) Check the access logs. Are there a bunch of attempted logins into the server? Are there a bunch of attempted logins for users on the site that are suspicious? 2) Check the IP trying to access. Is it the same IP trying to access several different users or accounts on the site/server? Does it look like they are fishing for usernames and passwords? 3) Block the IP any access to your server, especially if they have gotten in. Notify the hosting immediately of the IP so they are aware of the attack from this IP. In shared hosting, this is especially essential as a breach in one account could mean a breach in all accounts. 4) Keep an eye on ftp account access, especially fishing for usernames and passwords on them. All the hacks I have had to deal with have dealt with unused ftp accounts that had full access to the account. On another note, do not let someone have an ftp account named admin. That is how the last attack on my site happened. It was supposed to be an ftp account with full access for all of our site admin, but was never used. Actually, add root to that as well. Admin and root will be the main accounts that will be attempted to be hacked.
The best thing to keep away a hacker is to make sure that all passwords are hard to guess. Most probably already know this, but passwords with no full words, capital and lowercase letters, numbers, and symbols are the best. I am sure there is someway to set this up in CPanel so they cannot set a password that doesn't have at least 1 capital letter and 1 symbol.
If you do get attacked, my priorities would be: 1) Take the site or server down if possible for clean up. 2) For a server, get rid of any unused server access accounts. You shouldn't need more access than one root and one user. For a site, get rid of any ftp/email/cpanel users that are not being used by anyone and could've been compromised. 3) Change all passwords to any users that are being used but have been compromised. 4) Block any IPs that made the attack, if you can figure out specifics from the access logs. 5) For a server, block any open port that shouldn't be open that they might have gotten through. 6) For a site, clean up any code insertions. For a server admin reselling shared hosting, notify any client of the security changes and especially if their site has been compromised. 7) Block any php functions that are being used to set up the attack, if it is a hack. 8) Once everything is cleaned, firewall checked, bring the server/site back up.
In most cases, taking the server down is not an option. For a site though, it is the best thing that can done. Especially since most of the "kiddie hacks" are script inserts that will only continue as long as one page with the hack is being viewed. Many forums, CMS, have the ability for the admin to go in and take the site offline, preventing any page from being available.
Sorry for the late reply on your question about first course of action.
Edit: Oh! Looks like I have another book I need to pick up. Thank you khiltd!