Block all access to cPanel Except through WHM?

satoo

Member
Feb 18, 2010
10
0
51
We own all the accounts and domains on our VPS, and there isn't a need to access cPanel outside of logging into WHM and then clicking on whichever user to login as.

We also don't want anyone to try to brute force each domain.com:2082 or each domain.com/cpanel etc.

Is this possible? Can you turn off all access to cPanel EXCEPT for logins through WHM?

If not, is the only solution to restrict to only our IPs? The problem there is when traveling, and we'd have to use noip.com and whitelist by hostname.
 

keat63

Well-Known Member
Nov 20, 2014
1,312
92
28
cPanel Access Level
Root Administrator
Host Access Control, can control access to the following services.
  • cPanel (cpaneld)
  • WHM (whostmgrd)
  • Webmail (webmaild)
  • Web Disk (cpdavd)
  • FTP (ftpd)
  • SSH (sshd)
  • SMTP (smtp)
  • POP3 (pop3)
  • IMAP (imap)

Host Access Control - Version 68 Documentation - cPanel Documentation

Just make sure that you whitelist yourself before adding any block rules.

In brief:

In the boxes type:
All
Your IP (or range of IP's)
Allow

To deny cpanel access type:

Cpaneld
All
Deny

Make sure any deny rules appear after the allow rules.
I VPN in to my local domain server to get around the travelling thing.
 
Last edited:
  • Like
Reactions: cPanelLauren

satoo

Member
Feb 18, 2010
10
0
51
Yeah, I'm aware of Host Access Control. What I'm asking is... is the ONLY solution to block by IP? The problem with that is there might be 5 IPs which need access to WHM, and they're not all static IPs. It presents a whitelisting annoyance if we block all other IPs. We could just use noip.com or similar dynamic DNS provider, and then whitelist 5 hostnames while denying all the others. I'm asking if there's any alternative to that, like to simply block port 2082/2083 and /cpanel ...while still retaining the ability to login via WHM.
 

keat63

Well-Known Member
Nov 20, 2014
1,312
92
28
cPanel Access Level
Root Administrator
closing the ports in CSF should also achieve what you're after.
did you try HAC to deny cpaneld

Cpaneld
All
Deny
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,816
541
263
Houston
cPanel Access Level
DataCenter Provider
You wouldn't need to block by IP for host access control @keat63 has it correct

The format is:
Code:
 service : IP address : action
Code:
cpaneld : ALL : Deny
This would disallow all IP's from accessing cPanel but not affect WHM access


We could just use noip.com or similar dynamic DNS provider, and then whitelist 5 hostnames while denying all the others.
All hostnames must resolve to an IP address - so I don't see how this would work in the way you're thinking it would.
 

satoo

Member
Feb 18, 2010
10
0
51
You wouldn't need to block by IP for host access control @keat63 has it correct

The format is:
Code:
 service : IP address : action
Code:
cpaneld : ALL : Deny
This would disallow all IP's from accessing cPanel but not affect WHM access




All hostnames must resolve to an IP address - so I don't see how this would work in the way you're thinking it would.
So I would still be able to login to WHM and be able to click the cP icon to login to a given user's cPanel account as them, even if denying cpaneld to all?


As for noip.com... you download an app that keeps them constantly updated with your current IP, or you manually login to their backend and update it as needed. Then the myusername.noip.com hostname will always resolve to your current IP.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,816
541
263
Houston
cPanel Access Level
DataCenter Provider
So I would still be able to login to WHM and be able to click the cP icon to login to a given user's cPanel account as them, even if denying cpaneld to all?
No, you'd have to allow specific IP's that you want to be able to access

As for noip.com... you download an app that keeps them constantly updated with your current IP, or you manually login to their backend and update it as needed. Then the myusername.noip.com hostname will always resolve to your current IP.
Not only would you still have to allow per IP address but you'd have to find a way to allow based on a hostname which I'm unaware of something that will do this. Most access control/firewalling is IP based not hostname based due to the fact that hostnames must resolve to an IP.
 

satoo

Member
Feb 18, 2010
10
0
51
No, you'd have to allow specific IP's that you want to be able to access



Not only would you still have to allow per IP address but you'd have to find a way to allow based on a hostname which I'm unaware of something that will do this. Most access control/firewalling is IP based not hostname based due to the fact that hostnames must resolve to an IP.
CSF has a setting for DYNDNS Whitelisting a Dynamic IP in CSF – Kindly do the needful

But what I really wanted to know was if there was alternative, without having to do it this way. I think this is what I'd have to do, as a VPN isn't really ideal for us.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
6,816
541
263
Houston
cPanel Access Level
DataCenter Provider
There isn't anything native to cPanel that will perform the function you're looking for in the way you're looking to do it.