The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to limit Access to CPanel from 1 IP?

Discussion in 'General Discussion' started by lvlind, Jul 19, 2009.

  1. lvlind

    lvlind Active Member

    Joined:
    Jun 7, 2007
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Vinnica, Ukraine
    How to limit Access to CPanel from 1 IP? Is it possible do not use .htaccess file?
     
    #1 lvlind, Jul 19, 2009
    Last edited: Jul 19, 2009
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The simplest way would be to use an iptables firewall and block access to the relevant ports and only open access to those ports to specific IP addresses.
     
  3. serversignature

    serversignature Well-Known Member

    Joined:
    Nov 26, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bangalore
    true .. you can use iptables to rate-limit incoming connections.
     
  4. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    Out of curiosity how would you use rate limiting to help here over just blocking all and allowing one IP?
     
  5. serversignature

    serversignature Well-Known Member

    Joined:
    Nov 26, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bangalore
    Limit if not from my source IP

    -s ! $MY_IP -m limit
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Won't that still allow non-matching IP addresses to still connect at 3/hour (the default for the --limit rate)?
     
  7. serversignature

    serversignature Well-Known Member

    Joined:
    Nov 26, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bangalore
    Yes, that needs to be checked.

    .
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Everyone completely lost me at the rate limiting discussion since the original poster's question about "limiting access" which almost always refers to blocking connections to all IP's except the poster's own IP address ...

    I can only speculate the reason why they would want to block other connections and it is a bit odd since it would effectively make the server only usable by the owner only and not by anyone else who might otherwise have accounts on the server. Perhaps they only have the server setup for their own use?

    However ...

    Code:
    [b][color="Blue"]iptables -A INPUT -s ! x.x.x.x -p tcp --dport 2082:2087 -j DROP[/color][/b]
    (By the way, x.x.x.x is your IP address and DO NOT forget the exclamation point!)

    For those not so versed in the use of IPTABLES, the above command basically tells the firewall to drop all TCP packets destined for ports 2082 through 2087 (cpanel port) which does not originate from the given IP address.

    The above just kills connections to all except for the IP given. As for rate limiting connections though ....

    Here is a set of rules to rate limit Cpanel connections to 3 attempts per minute to all except a specific IP address PLUS if any rate limited visitor establishes any additional NEW connections beyond the allowed 3 within a 60 second period following a previous allowed connection and sends more than 5 packets, they get their connections to Cpanel dropped entirely so that will help prevent anyone trying to flood opening up Cpanel logins as well :

    Code:
    [COLOR="Blue"][b]
    iptables -A INPUT -s ! x.x.x.x -p tcp --dport 2082:2087 -m state --state NEW -m recent --set
    iptables -A INPUT -s ! x.x.x.x -p tcp --dport 2082:2087 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
    [/b][/COLOR]
    
    To ServerSignature:

    You may want to be a little more careful with those IPTABLE recommendations:
    Code:
    [COLOR="Gray"][i]-s ! $MY_IP -m limit[/i][/COLOR]
    If someone were to use exactly what you posted, you would rate limit not just CPANEL but EVERY CONNECTION on the entire server that doesn't originate from the source IP address. That means that FTP, normal web access (ouch!), email, and completely everything will be rate limited and not just by service type either! Each and every connection made to the server that didn't originate from the specified IP address would be counted into that rate limit as a whole
    effectively bringing down the entire server and rendering it effectively useless to the outside world and also making the server virtually unable to function except for exclusive connections to the IP you specified!

    Not exactly what you were intending ey? ;)

    If you were going to blindly rate limit the CPANEL connections to the default then I would probably do a variation of what you said something more along the lines of the following:
    Code:
    [color="Blue"][b]iptables -A INPUT -s ! x.x.x.x -p tcp --dport 2082:2087 -m limit[/b][/color]
    There you have it fans! Blocking or rate limiting connections to Cpanel except for one address or CIDR range!
     
    #8 Spiral, Jul 22, 2009
    Last edited: Jul 22, 2009
Loading...

Share This Page