How Do I Redirect "Cpanel" and "WHM" URL to something anonymous?

[Wabda20]

Hi, recently security has become my concern. I have a site that I don't host myself, i have the site in liquidweb.com VPS service. Now everytime I want to access my WHM, i just type in mysite.com/whm

or if i want to access cPanel, i just type in mysite.com/cpanel

or there are specific numbers for this like mysite.com:2083 or something like that

I really want to change these URLs as these are extremely easy to predict.

For example, i had mysite.com/wp-admin (wordpress login page as you know), but then now if I type that URL in my browser I will get nothing. Instead, i use custom URL for the wordpress login page (like let's say mysite.com/24ffer34322). I got the script from someone else but not sure if I can do the same for cpanel/whm because it's not URL redirection related I believe.

I generally don't feel safe with having login page in public because I think everybody already knows mysite.com/whm and mysite.com/cpanel are default URLs to gain access to everything in your site whenever you have cPanel installed in your web host.

 

[Infopro]

You cannot change this. What you can do is create a very hard to guess password though, and is suggested.

This: mysite.com/24ffer34322 does not make your wordpress login more secure, it only makes it tougher to find. Once found if you're using a weak password, it will be logged into by someone who wants to login.

Use the cPanel password generator and generate a nice long hard to guess at password.

 

[ServerMascot]

Try to change the ScriptAliasMatch directive in apache conf file.

eg: ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi

In this the expression cpanel is matched in the URL and it is redirected according to the cPanel redirect script. You can write a script of your own to redirect and replace in place of /usr/local/cpanel/cgi-sys/redirect.cgi.

Best Regards,
Vaisakh B
ServerMascot

 

[Wabda20]

Try to change the ScriptAliasMatch directive in apache conf file.

eg: ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi

In this the expression cpanel is matched in the URL and it is redirected according to the cPanel redirect script. You can write a script of your own to redirect and replace in place of /usr/local/cpanel/cgi-sys/redirect.cgi.

Best Regards,
Vaisakh B
ServerMascot

Thanks a lot, will try today and tell you the result

Infopro

You cannot change this. What you can do is create a very hard to guess password though, and is suggested.

This: mysite.com/24ffer34322 does not make your wordpress login more secure, it only makes it tougher to find. Once found if you're using a weak password, it will be logged into by someone who wants to login.

Use the cPanel password generator and generate a nice long hard to guess at password.

Im sorry my friend but i am not that retarded. obviously i know a long password is needed. I always have a long password and I always write down EVERY of my long password on my book (instead of storing them on my computer). I still need more security though, having your login form public is actually a bit naive. I have ever got hacked ayear ago by someone whom is probably not an usual hacker. I dont know how he freakin got access to my email address but i was very sure i didnt have malware on my mac. I used mac and I even ordered a new macbook since that hacking tragedy. Unfortunately, few weeks later after he knew my another email address username, he hacked it again. So you tell me what went wrong..definitely my password was something like ijfioewjfm<[email protected]

but again, after becoming very anonymous (never revealed my email address to anyone, and use separate email address for each messenger account and website), he never be able to gain access to any of my site/account anymore. It proves that he never had malware on my computer, instead he could hack me by exploiting ONLY my username. That was on Yahoo email though. Now how do you think he cant get access by simply typing site.com/cpanel if he can get access to yahoo by just knowing my username? You can laugh at me and saying "such great hacker doesnt exist" but I know what I was dealing with, my friend. I am an internet marketer myself so i am sure i never click/fill in any stupid phishing form as I know internet tricks in and out

 

[cPanelTristan]

I have to highly suggest using WHM > Host Access Control to allow whostmgrd access for WHM to only the IPs you are using, then block all other IPs. This way, anyone who is trying to access WHM even upon guessing the url will not be able to even load the page to try to input passwords.

 

[Wabda20]

thanks cPanelTristan, but how if my IP is dynamic? Let's say my IP, everytime I restart my connection, always resolve around:
182.200.10.xx
and 202.200.10.xx

these "xx" numbers are always different. Sometimes 02, 03, 45, etc.

How do I get around this? Do I need to use static IP for this?

also can I just "allow access" to specific country IP? I am afraid if I do this and one day my connection down and at the same time I need to access my site for urgency reasons then I use another ISP (like mobile connection), then I simply unable to access my site because of this filter...

 

[Wabda20]

also @servermascott, how to access the apache conf file?

plus let's say I want to redirect /cpanel to something like "/12345", how do I do that?

you mentioend: ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi

now what to write there to get cpanel URL to "/12345"?

 

[cPanelTristan]

You wouldn't be able to allow access to a specific country's IP numbers. If you are only blocking WHM access but not root SSH access, there's no reason to be worried about being unable to get into the machine to allow extra IPs at that point. The file that handles the WHM > Host Access Control is /etc/allow.hosts file, so you could always log into root SSH and edit the file to add more IPs for whostmgrd access.

As for adding a range of IPs, WHM > Host Access Control area will not accept a range of IP addresses. These would need to be added individually. Here's a link to our documentation talking about that area:

Host Access Control