Is there a way to block total server access to all but one IP?

WebHostPro · Oct 10, 2020

I have a server we need to block all access to but a single IP.

Any idea how I can do this? I believe it would be with CSF or directly with IP tables.

Ideally I would like to do it in WHM.

kodeslogic · Oct 10, 2020

I am guessing that you want to allow SSH access for one specific IP address and want to block SSH access to any other. If I got your query correct then below are the steps:

Step 1

For that, you need to add an entry to /etc/hosts.allow file

Code:

vi /etc/hosts.allow

add the following lines to allow the whitelisted IP

Code:

sshd: 1.3.6.4

Replace "1.3.6.4" with the IP address you wish to allow SSH access

Step 2

Open up /etc/hosts.allow file

Code:

vi /etc/hosts.deny

and add the following lines to deny all SSH connections

Code:

sshd: ALL

This will block all incoming SSH requests on your SSH port except IP you mentioned in /etc/hosts.allow file

cPJeremy · Oct 10, 2020

Hello!

Firstly, the information above mentioned by kodeslogic is helpful and this is an option you can use. However, you can also make these edits by going to WHM's Home »Security Center »Host Access Control. The edits made here will be reflected to the /etc/hosts.allow file. From there, you can set rules to allow your IP to access "sshd" and "whostmgrd" or any other service you require access to. To see a full list of services that you permit access to from this section, you can see our documentation on this here:

cPanel Documentation | Host Access Control

Secondly, I did want to mention that you are correct that you can use CSF to make these changes. However, I believe that the default action is for CSF to deny all SSH connections unless the incoming IP is specifically allowed. It may be best to contact CSF for any questions regarding their Firewall software. However what you may be able to do is install CSF and go to the WHM plugin. Use the "Quick Allow" option to add your IP to be whitelisted in the firewall. Once your IP is whitelisted, you can add a firewall block deny rule by using the "Quick Deny" for the IP range: 0.0.0.0/0

Please note, normally we would not suggest doing this but it can be done doing the above. More information on why this is, and other options you can take is mentioned in the forums post here:

Block all IP Addresses CSF

I hope this helps! Please let us know if we can do anything else to help you.

WebHostPro · Oct 10, 2020

kodeslogic said:
I am guessing that you want to allow SSH access for one specific IP address and want to block SSH access to any other. If I got your query correct then below are the steps:

Step 1

For that, you need to add an entry to /etc/hosts.allow file

Code:

vi /etc/hosts.allow

add the following lines to allow the whitelisted IP

Code:

sshd: 1.3.6.4

Step 2

Open up /etc/hosts.allow file

Code:

vi /etc/hosts.deny

and add the following lines to deny all SSH connections

Code:

sshd: ALL

This will block all incoming SSH requests on your SSH port except IP you mentioned in /etc/hosts.allow file

Thanks, but we want to block all access to one IP. This means you could not ping it unless you are using the one allowed IP.

Code:

I have a server we need to block all access to but a single IP.
[/QUOTE]

cPanelAxel · Oct 11, 2020

Hi,

If you want to block access completely to an IP, then this would be performed at the firewall level, such as with iptables, or CSF if you want to use the interface.

If you want to block a single IP, this can be easily done in CSF.

However, I would not recommend blocking access to all IP's except a single one for all services as this can either cause certain services to not function properly if external connections can't reach your server or may lead to the risk of potentially being locked out of the server unless you have console access.

With that said, you may want to ask in the CSF forums for recommendations if you are looking to do this.

kodeslogic · Oct 11, 2020

For single IP address

Code:

csf -d 1.3.6.4 "Add your comments for blocking"

Replace "1.3.6.4" with the IP address you want to block

WebHostPro · Oct 12, 2020

cPanelAxel said:
Hi,

If you want to block access completely to an IP, then this would be performed at the firewall level, such as with iptables, or CSF if you want to use the interface.

If you want to block a single IP, this can be easily done in CSF.

However, I would not recommend blocking access to all IP's except a single one for all services as this can either cause certain services to not function properly if external connections can't reach your server or may lead to the risk of potentially being locked out of the server unless you have console access.

With that said, you may want to ask in the CSF forums for recommendations if you are looking to do this.

O.k. thanks, I'll ask the CSF forums.

keat63 · Oct 13, 2020

What exactly are you trying to achieve.
I understand that you want to block access to all except 1 IP ??
If so, for what purpose ?

WebHostPro · Oct 13, 2020

keat63 said:
What exactly are you trying to achieve.
I understand that you want to block access to all except 1 IP ??
If so, for what purpose ?

Hi,

I have a server that is not allowed to be open into the public. The only access to the server that is allowed is from one IP.

The is just for backup access purposes, I realize many services will not work once all other access is blocked.

I'm trying to do a total block of the server in and out other than for one IP.

keat63 · Oct 14, 2020

This should work

The first thing to do would be to whitelist your IP address in the CSF allow list.
In fact, I'd even go as far as trying to set up another IP, just in case.
Maybe your home IP if it's static, even if it's dynamic, give yourself a means of getting back in today, if something goes wrong.

Contact your data centre and maybe obtain their support team IP range also.
The last thing you want to do is inadvertently lock yourself out, with no other means of getting back in.

Then in CSF Config "Allow incoming TCP ports", and " Allow outgoing TCP ports " I'd just remove all ports.
Copy (or screenshot) the port numbers, so you could roll back easily if needed.

The CSF allow list should bypass the missing port numbers, allowing only your IP address (or any others in the allow list).

If you want to test beforehand, maybe try closing a few ports at a time.

Michael-Inet · Oct 17, 2020

keat63 said:
Then in CSF Config "Allow incoming TCP ports", and " Allow outgoing TCP ports " I'd just remove all ports.
Copy (or screenshot) the port numbers, so you could roll back easily if needed.

WHM »Home »Plugins »ConfigServer Security & Firewall
Firewall Profiles: Apply pre-configured csf.conf profiles and backup/restore csf.conf

And what everyone else said:

- Have at least one other static IP that you whitelist, my preference would be 3 others (other VPSs you own, etc.)

Thread starter	Similar threads	Forum	Replies	Date
T	Looks like mod_security is blocking a file but cannot find where or find it in logs	Web Servers and Applications	12	Mar 11, 2023
	Nginx blocking WordPress admin bars again :(	Web Servers and Applications	1	Mar 2, 2022
V	Need .htaccess rule to block /secured/ folder access	Web Servers and Applications	3	Feb 16, 2021
N	PHP-FPM block my websites with php7.4	Web Servers and Applications	3	Dec 29, 2020
C	Block external access from Nginx	Web Servers and Applications	1	Dec 28, 2020

Search

Search

Is there a way to block total server access to all but one IP?

WebHostPro

Well-Known Member

kodeslogic

Well-Known Member

cPJeremy

Technical Analyst

WebHostPro

Well-Known Member

cPanelAxel

Team Lead Technical Analyst

kodeslogic

Well-Known Member

WebHostPro

Well-Known Member

keat63

Well-Known Member

WebHostPro

Well-Known Member

keat63

Well-Known Member

Michael-Inet

Well-Known Member