The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about hosts.allow / hosts.deny

Discussion in 'Security' started by Mark_CFH, Jun 11, 2014.

  1. Mark_CFH

    Mark_CFH Well-Known Member

    Joined:
    Apr 2, 2013
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    We have recently setup the hosts.allow / hosts.deny files

    On the hosts.allow file we have added our IPs and access to everything (obviously, we need it) =\

    On the hosts.deny file we have added ALL : ALL, however, when we try to goto a cPanel login, we get a 401 no permission, which can only lead me to believe that all of our clients are blocked as well.

    How do we use these files, but also allow our clients to be able to access their own cPanel ? Even if we go through WHM and goto the users cPanel that way, it is also a 401 no permission.


    (On another note)
    One of our staff is blocked from everything even though we have his IP added to the allow list (the same way as ours is), he is unable to access anything (Yes, we checked his IP to make sure it was correct, and it is)
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    652
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I suggest handling the access solely through the /etc/hosts.allow file. The hosts.deny file itself is not necessary. You can use the WHM user interface if you prefer:

    Host Access Control

    Thank you.
     
  3. Mark_CFH

    Mark_CFH Well-Known Member

    Joined:
    Apr 2, 2013
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Here is whats on the hosts.allow file:

    Code:
    sshd : my IP : allow
    sshd : staff IP : allow
    sshd : staff IP : allow
    whostmgrd: my IP : allow
    whostmgrd : staff IP : allow
    whostmgrd : staff IP : allow
    cpaneld : My IP : allow
    cpaneld : staff IP : allow
    cpaneld : staff IP : allow
    ALL : ALL : deny
    
    Is this the correct way ?
     
  4. Mark_CFH

    Mark_CFH Well-Known Member

    Joined:
    Apr 2, 2013
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Is there someway to allow "clients" on the server to be able to access their cPanel (as well as resellers to access their reseller login), but block out all others ?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    652
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The hosts.allow snippet you provided looks fine. You could whitelist the client's IP address for cpaneld the same way you did for your own IP address in /etc/hosts.allow.

    Thank you.
     
  6. Mark_CFH

    Mark_CFH Well-Known Member

    Joined:
    Apr 2, 2013
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    For resellers, wouldnt they need to be able to access their WHM as well though?

    I think WHM needs to have 2 separate setups or something... Something you can use to blocked out root / whm and not harm cpanel users or reseller users...Or as suggested else where on here... the 2 Auth...
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    652
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Right, you would have to add separate rules for IP access to whostmgrd. It's not possible to limit access based on the username of the account (e.g. resellers vs root). The two-factor authentication you reference is open as a feature request here:

    Two-factor Authentication

    Thank you.
     
  8. Mark_CFH

    Mark_CFH Well-Known Member

    Joined:
    Apr 2, 2013
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Yeah, I have already "voted" on that several days ago :D


    They should make that possible. it would make security so much better with something like that, using a clients "username" instead of IP address's... As some people have Dynamic IPs, which would make server owners have to change that Ip all the time.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    652
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page