Question about hosts.allow / hosts.deny

[Mark_CFH]

We have recently setup the hosts.allow / hosts.deny files

On the hosts.allow file we have added our IPs and access to everything (obviously, we need it) =\

On the hosts.deny file we have added ALL : ALL, however, when we try to goto a cPanel login, we get a 401 no permission, which can only lead me to believe that all of our clients are blocked as well.

How do we use these files, but also allow our clients to be able to access their own cPanel ? Even if we go through WHM and goto the users cPanel that way, it is also a 401 no permission.


(On another note)
One of our staff is blocked from everything even though we have his IP added to the allow list (the same way as ours is), he is unable to access anything (Yes, we checked his IP to make sure it was correct, and it is)

 

[cPanelMichael]

Hello

I suggest handling the access solely through the /etc/hosts.allow file. The hosts.deny file itself is not necessary. You can use the WHM user interface if you prefer:

Host Access Control

Thank you.

 

[Mark_CFH]

Here is whats on the hosts.allow file:

sshd : my IP : allow
sshd : staff IP : allow
sshd : staff IP : allow
whostmgrd: my IP : allow
whostmgrd : staff IP : allow
whostmgrd : staff IP : allow
cpaneld : My IP : allow
cpaneld : staff IP : allow
cpaneld : staff IP : allow
ALL : ALL : deny

Is this the correct way ?

 

[Mark_CFH]

Is there someway to allow "clients" on the server to be able to access their cPanel (as well as resellers to access their reseller login), but block out all others ?

 

[cPanelMichael]

The hosts.allow snippet you provided looks fine. You could whitelist the client's IP address for cpaneld the same way you did for your own IP address in /etc/hosts.allow.

Thank you.

 

[Mark_CFH]

For resellers, wouldnt they need to be able to access their WHM as well though?

I think WHM needs to have 2 separate setups or something... Something you can use to blocked out root / whm and not harm cpanel users or reseller users...Or as suggested else where on here... the 2 Auth...

 

[cPanelMichael]

Right, you would have to add separate rules for IP access to whostmgrd. It's not possible to limit access based on the username of the account (e.g. resellers vs root). The two-factor authentication you reference is open as a feature request here:

Two-factor Authentication

Thank you.

 

[Mark_CFH]

The two-factor authentication you reference is open as a feature request here:

Two-factor Authentication

Thank you.

Yeah, I have already "voted" on that several days ago :D

It's not possible to limit access based on the username of the account (e.g. resellers vs root).

They should make that possible. it would make security so much better with something like that, using a clients "username" instead of IP address's... As some people have Dynamic IPs, which would make server owners have to change that Ip all the time.

 

[cPanelMichael]

You are welcome to submit a feature request for that type of functionality:

Submit A New Feature Request

Thank you.