Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Disable WHM terminal access or restrict it by IP?

Discussion in 'Security' started by hicom, Jul 31, 2018.

Tags:
  1. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    282
    Likes Received:
    2
    Trophy Points:
    168
    I understand how convenient is the WHM/cPanel Terminal. However, we need to disable it.

    The cPanel/WHM Terminal feature bypasses security restrictions such as requiring SU to login, IP Restrictions on Port 22.

    You must see the security implications of having Terminal enabled on the root WHM account.

    is there a way to restrict WHM root access to only specific IP addresses? It would be one-step more in making it harder for hackers to access the system even when root is compromised.

    root WHM login IP restricted This article says no root IP restriction possible.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @hicom,

    You can create the /var/cpanel/disable_whm_terminal_ui touch file to disable the terminal application for WHM users. This includes both resellers with root access and the root user. Here's the full command:

    Code:
    touch /var/cpanel/disable_whm_terminal_ui
    Keep in mind that if someone is able to access Web Host Manager as the root user, then that person already has the ability to generate SSH keys or run a temporary instance of SSH with default settings by running the SSH autofixer script.

    Regarding the restriction of access to Web Host Manager, you can use WHM >> Host Access Control to enable IP-based access control:

    Host Access Control - Version 72 Documentation - cPanel Documentation

    However, note this applies to all access attempts to Web Host Manager, not just the root user.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. IndicHosts.net

    IndicHosts.net Active Member

    Joined:
    Mar 11, 2006
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Online
    cPanel Access Level:
    Root Administrator
    Another related issue is that when remote administrator login via SSH, through an SSH Gateway, we
    1. Ensure IP security
    2. Log the remote admin's activity and command logs
    3. Even lot command outputs
    Now they do not have to know the root password, just login vis SSH gateway, run whmapi to create a WHM session, then access terminal. Now their commands are totally invisible!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @IndicHosts.net,

    Creating the touch file will disable the Terminal feature in Web Host Manager if you prefer to not offer that feature to WHM users.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice