The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel / WHM Services listen only on shared/primary IP address ?

Discussion in 'Security' started by Tcalp, Jul 4, 2014.

  1. Tcalp

    Tcalp Active Member

    Joined:
    Mar 16, 2013
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Ottawa, ON, Canada
    cPanel Access Level:
    DataCenter Provider
    Hey Guys,

    I was wondering how I would go about making cPanel/WHM services only available on the primary / shared IP. Namely that dedicated IP's it's not 'easy' to see that they have a cpanel/whm interface present.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I usually do this with custom CSF rules.

    You can handle it 2 ways; one is leave the ports open in csf.conf, and use csf.deny to close them on the IPs you don't want them open on, the other is the opposite (close them in csf.conf, and use csf.allow to only open them on one IP).

    Before you do anything, make sure to whitelist your IP in csf.allow and restart csf. Don't lock yourself out of the box. You'll have to have someone in another location test for you, or use a phone or something that's not on your local wifi so it hits the server from another IP, since whitelisted IPs bypass closed ports.

    For the first example, leave the cPanel/WHM ports (i.e. 2082,2083,2086,2087, and so on) open in TCP_IN in csf.conf. In csf.deny, add these entries:

    Code:
    tcp|in|d=2082|d=123.123.123.124 #"do not delete"
    tcp|in|d=2083|d=123.123.123.124 #"do not delete"
    tcp|in|d=2086|d=123.123.123.124 #"do not delete"
    tcp|in|d=2087|d=123.123.123.124 #"do not delete"
    
    This will close the cPanel/WHM ports for the ip 123.123.123.124 and leave them open on the other IPs assigned to the server. You can duplicate the lines and change the IP to close the ports for other IPs.

    For the second example, if you only want the ports open on one IP, in csf.conf, remove the cPanel/WHM ports you want closed for the rest of the IPs (i.e. 2082,2083,2086,2087) from the TCP_IN list. Then in csf.allow, add:

    Code:
    tcp|in|d=2082|d=123.123.123.123 #"do not delete"
    tcp|in|d=2083|d=123.123.123.123 #"do not delete"
    tcp|in|d=2086|d=123.123.123.123 #"do not delete"
    tcp|in|d=2087|d=123.123.123.123 #"do not delete"
    
    Where 123.123.123.123 is the main IP of your server. This will allow those ports only on the specified IP. Run "csf -r" from a bash prompt and you're good to go.
     
Loading...

Share This Page