Is there a way to block total server access to all but one IP?

Operating System & Version
CentOS
cPanel & WHM Version
v90.0.14

kodeslogic

Well-Known Member
Apr 26, 2020
53
14
83
IN
cPanel Access Level
Root Administrator
I am guessing that you want to allow SSH access for one specific IP address and want to block SSH access to any other. If I got your query correct then below are the steps:

Step 1

For that, you need to add an entry to /etc/hosts.allow file
Code:
vi /etc/hosts.allow
add the following lines to allow the whitelisted IP
Code:
sshd: 1.3.6.4
Replace "1.3.6.4" with the IP address you wish to allow SSH access
Step 2

Open up /etc/hosts.allow file
Code:
vi /etc/hosts.deny
and add the following lines to deny all SSH connections
Code:
sshd: ALL
This will block all incoming SSH requests on your SSH port except IP you mentioned in /etc/hosts.allow file
 

cPJeremy

Technical Analyst
Staff member
Feb 13, 2019
55
2
83
Houston TX
cPanel Access Level
Root Administrator
Hello!

Firstly, the information above mentioned by kodeslogic is helpful and this is an option you can use. However, you can also make these edits by going to WHM's Home »Security Center »Host Access Control. The edits made here will be reflected to the /etc/hosts.allow file. From there, you can set rules to allow your IP to access "sshd" and "whostmgrd" or any other service you require access to. To see a full list of services that you permit access to from this section, you can see our documentation on this here:

cPanel Documentation | Host Access Control

Secondly, I did want to mention that you are correct that you can use CSF to make these changes. However, I believe that the default action is for CSF to deny all SSH connections unless the incoming IP is specifically allowed. It may be best to contact CSF for any questions regarding their Firewall software. However what you may be able to do is install CSF and go to the WHM plugin. Use the "Quick Allow" option to add your IP to be whitelisted in the firewall. Once your IP is whitelisted, you can add a firewall block deny rule by using the "Quick Deny" for the IP range: 0.0.0.0/0

Please note, normally we would not suggest doing this but it can be done doing the above. More information on why this is, and other options you can take is mentioned in the forums post here:

Block all IP Addresses CSF

I hope this helps! Please let us know if we can do anything else to help you.
 

WebHostPro

Well-Known Member
PartnerNOC
Jul 28, 2002
1,720
26
328
LA, Costa RIca
cPanel Access Level
Root Administrator
Twitter
I am guessing that you want to allow SSH access for one specific IP address and want to block SSH access to any other. If I got your query correct then below are the steps:

Step 1

For that, you need to add an entry to /etc/hosts.allow file
Code:
vi /etc/hosts.allow
add the following lines to allow the whitelisted IP
Code:
sshd: 1.3.6.4


Step 2

Open up /etc/hosts.allow file
Code:
vi /etc/hosts.deny
and add the following lines to deny all SSH connections
Code:
sshd: ALL
This will block all incoming SSH requests on your SSH port except IP you mentioned in /etc/hosts.allow file

Thanks, but we want to block all access to one IP. This means you could not ping it unless you are using the one allowed IP.


Code:
I have a server we need to block all access to but a single IP.
[/QUOTE]
 

cPanelAxel

Team Lead Technical Analyst
Staff member
Jan 3, 2019
19
3
78
Houston
cPanel Access Level
Root Administrator
Hi,

If you want to block access completely to an IP, then this would be performed at the firewall level, such as with iptables, or CSF if you want to use the interface.

If you want to block a single IP, this can be easily done in CSF.

However, I would not recommend blocking access to all IP's except a single one for all services as this can either cause certain services to not function properly if external connections can't reach your server or may lead to the risk of potentially being locked out of the server unless you have console access.

With that said, you may want to ask in the CSF forums for recommendations if you are looking to do this.
 
  • Like
Reactions: WebHostPro

WebHostPro

Well-Known Member
PartnerNOC
Jul 28, 2002
1,720
26
328
LA, Costa RIca
cPanel Access Level
Root Administrator
Twitter
Hi,

If you want to block access completely to an IP, then this would be performed at the firewall level, such as with iptables, or CSF if you want to use the interface.

If you want to block a single IP, this can be easily done in CSF.

However, I would not recommend blocking access to all IP's except a single one for all services as this can either cause certain services to not function properly if external connections can't reach your server or may lead to the risk of potentially being locked out of the server unless you have console access.

With that said, you may want to ask in the CSF forums for recommendations if you are looking to do this.
O.k. thanks, I'll ask the CSF forums.
 

WebHostPro

Well-Known Member
PartnerNOC
Jul 28, 2002
1,720
26
328
LA, Costa RIca
cPanel Access Level
Root Administrator
Twitter
What exactly are you trying to achieve.
I understand that you want to block access to all except 1 IP ??
If so, for what purpose ?
Hi,

I have a server that is not allowed to be open into the public. The only access to the server that is allowed is from one IP.

The is just for backup access purposes, I realize many services will not work once all other access is blocked.

I'm trying to do a total block of the server in and out other than for one IP.
 

keat63

Well-Known Member
Nov 20, 2014
1,795
204
93
cPanel Access Level
Root Administrator
This should work

The first thing to do would be to whitelist your IP address in the CSF allow list.
In fact, I'd even go as far as trying to set up another IP, just in case.
Maybe your home IP if it's static, even if it's dynamic, give yourself a means of getting back in today, if something goes wrong.

Contact your data centre and maybe obtain their support team IP range also.
The last thing you want to do is inadvertently lock yourself out, with no other means of getting back in.


Then in CSF Config "Allow incoming TCP ports", and " Allow outgoing TCP ports " I'd just remove all ports.
Copy (or screenshot) the port numbers, so you could roll back easily if needed.

The CSF allow list should bypass the missing port numbers, allowing only your IP address (or any others in the allow list).

If you want to test beforehand, maybe try closing a few ports at a time.
 
  • Like
Reactions: Michael-Inet

Michael-Inet

Well-Known Member
Feb 20, 2014
102
13
68
Austin, TX, USA
cPanel Access Level
Root Administrator
Then in CSF Config "Allow incoming TCP ports", and " Allow outgoing TCP ports " I'd just remove all ports.
Copy (or screenshot) the port numbers, so you could roll back easily if needed.
WHM »Home »Plugins »ConfigServer Security & Firewall
Firewall Profiles: Apply pre-configured csf.conf profiles and backup/restore csf.conf

And what everyone else said:

- Have at least one other static IP that you whitelist, my preference would be 3 others (other VPSs you own, etc.)