Disable WHM terminal access or restrict it by IP?

hicom

Well-Known Member
May 23, 2003
289
2
168
I understand how convenient is the WHM/cPanel Terminal. However, we need to disable it.

The cPanel/WHM Terminal feature bypasses security restrictions such as requiring SU to login, IP Restrictions on Port 22.

You must see the security implications of having Terminal enabled on the root WHM account.

is there a way to restrict WHM root access to only specific IP addresses? It would be one-step more in making it harder for hackers to access the system even when root is compromised.

root WHM login IP restricted This article says no root IP restriction possible.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @hicom,

You can create the /var/cpanel/disable_whm_terminal_ui touch file to disable the terminal application for WHM users. This includes both resellers with root access and the root user. Here's the full command:

Code:
touch /var/cpanel/disable_whm_terminal_ui
Keep in mind that if someone is able to access Web Host Manager as the root user, then that person already has the ability to generate SSH keys or run a temporary instance of SSH with default settings by running the SSH autofixer script.

Regarding the restriction of access to Web Host Manager, you can use WHM >> Host Access Control to enable IP-based access control:

Host Access Control - Version 72 Documentation - cPanel Documentation

However, note this applies to all access attempts to Web Host Manager, not just the root user.

Thank you.
 

IndicHosts.net

Active Member
Mar 11, 2006
43
6
158
Online
cPanel Access Level
Root Administrator
Another related issue is that when remote administrator login via SSH, through an SSH Gateway, we
  1. Ensure IP security
  2. Log the remote admin's activity and command logs
  3. Even lot command outputs
Now they do not have to know the root password, just login vis SSH gateway, run whmapi to create a WHM session, then access terminal. Now their commands are totally invisible!
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,917
2,248
363
Hello @IndicHosts.net,

Creating the touch file will disable the Terminal feature in Web Host Manager if you prefer to not offer that feature to WHM users.

Thank you.
 

brads

Registered
Oct 23, 2019
2
0
1
Australia
cPanel Access Level
Root Administrator
I also really think this feature needs to be included. SSH allows us to restrict root logins to specific IP addresses, but having WHM accessible to root still leaves a huge gap.

Disabling root to WHM doesn't help, as our staff need access to be able to diagnose issues for customers.

If anyone else is looking for this feature, please go upvote the feature request: