Disable WHM terminal access or restrict it by IP?

[hicom]

I understand how convenient is the WHM/cPanel Terminal. However, we need to disable it.

The cPanel/WHM Terminal feature bypasses security restrictions such as requiring SU to login, IP Restrictions on Port 22.

You must see the security implications of having Terminal enabled on the root WHM account.

is there a way to restrict WHM root access to only specific IP addresses? It would be one-step more in making it harder for hackers to access the system even when root is compromised.

root WHM login IP restricted This article says no root IP restriction possible.

 

[cPanelMichael]

Hello @hicom,

You can create the /var/cpanel/disable_whm_terminal_ui touch file to disable the terminal application for WHM users. This includes both resellers with root access and the root user. Here's the full command:

touch /var/cpanel/disable_whm_terminal_ui

Keep in mind that if someone is able to access Web Host Manager as the root user, then that person already has the ability to generate SSH keys or run a temporary instance of SSH with default settings by running the SSH autofixer script.

Regarding the restriction of access to Web Host Manager, you can use WHM >> Host Access Control to enable IP-based access control:

Host Access Control - Version 72 Documentation - cPanel Documentation

However, note this applies to all access attempts to Web Host Manager, not just the root user.

Thank you.

 

[IndicHosts.net]

Another related issue is that when remote administrator login via SSH, through an SSH Gateway, we

1. Ensure IP security
2. Log the remote admin's activity and command logs
3. Even lot command outputs

Now they do not have to know the root password, just login vis SSH gateway, run whmapi to create a WHM session, then access terminal. Now their commands are totally invisible!

 

[cPanelMichael]

Hello @IndicHosts.net,

Creating the touch file will disable the Terminal feature in Web Host Manager if you prefer to not offer that feature to WHM users.

Thank you.

 

[brads]

I also really think this feature needs to be included. SSH allows us to restrict root logins to specific IP addresses, but having WHM accessible to root still leaves a huge gap.

Disabling root to WHM doesn't help, as our staff need access to be able to diagnose issues for customers.

If anyone else is looking for this feature, please go upvote the feature request:

https://features.cpanel.net/topic/limit-rootreseller-access-to-whm-by-ip

 

[Bentok]

Hello,

I run this command:

touch /var/cpanel/disable_whm_terminal_ui

Disabled the terminal, well wanted just to disable for users and now did it via features manager in whm, but now can't access terminal at all even via whm nor putty, how to enable it again? don't have access via shel, only whm, not even with managed root ssh keys, please advice how to enable whm terminal again?

Thanks!

 

[IndicHosts.net]

Hello,

I run this command:

touch /var/cpanel/disable_whm_terminal_ui

Disabled the terminal, well wanted just to disable for users and now did it via features manager in whm, but now can't access terminal at all even via whm nor putty, how to enable it again? don't have access via shel, only whm, not even with managed root ssh keys, please advice how to enable whm terminal again?

Thanks!

rm /var/cpanel/disable_whm_terminal_ui

 

[Bentok]

rm /var/cpanel/disable_whm_terminal_ui

Thanks for advice! the problem is now I don't have any access to terminal, not even putty, not even with sftp, so that's the problem can't remove that.

 

[IndicHosts.net]

Thanks for advice! the problem is now I don't have any access to terminal, not even putty, not even with sftp, so that's the problem can't remove that.

If its dedicated ask your DC for ipmi or kvmip as applicable. If its vps get vnc access to console and work from there