The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restrict WHM Access by IP

Discussion in 'General Discussion' started by LGRCompEnt, May 29, 2009.

  1. LGRCompEnt

    LGRCompEnt Registered

    Joined:
    Apr 11, 2005
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I tried searching on Google and here but did not find a way to do this yet. Is it possible to restrict access to WHM by IP address? Only allowing IP's from my country/state and denying all other world IP's?

    Thanks
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    One way I can think of doing this is using Host Access Control in the WHM interface.

    In case you lock yourself out accidentally, realize this is just a GUI for /etc/hosts.allow and /etc/hosts.deny
     
  3. Xavior82

    Xavior82 Active Member
    PartnerNOC

    Joined:
    Oct 5, 2006
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Montreal
    Locking down CPanel / WHM

    Hi,

    I would like to be able to lock down all CPanel / WHM accesses having root priviledges by limiting access to specific IP addresses.

    Most solutions I've seen posted online are either vague or involve configuring firewall rules, which I'm guessing will apply to ALL cpanel / WHM accesses on that server instead of only the root CPanel/WHM accesses. I would be particularly interested in a solution implemented at the application level instead of the server configuration level. So any advice on this would be much appreciated!

    Thanks.
     
  4. cosminm

    cosminm Member

    Joined:
    Jul 7, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Craiova, Romania
    Hello,

    I'm looking for the same solution, to limit root access to whm just to a specific IP/subnet. No luck yet. Any advice would be greatly appreciated.
    Thank you!
     
  5. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    You can do this in Host Access Control area in WHM. It's the easier way to do it and pretty straightforward to setup.

    Simply put the following into WHM > Host Access Control area:

    Code:
    Daemon     Access List   Action  	Comment
    whostmgrd  YourIP        allow
    whostmgrd  all           deny
    The allow line(s) must be above the deny ones or else you will block yourself out of WHM on the machine and need to edit /etc/hosts.allow in root SSH to unlock WHM. You can put a range for the IP section as well, so 74.74.74.0/24 if your IP were in the 74.74.74.1-74.74.74.254 range. If you had an even larger dynamic range, you could do 74.74.0.0/16 to handle it where 74.74 is the first two octets of the IP range.
     
  6. cosminm

    cosminm Member

    Joined:
    Jul 7, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Craiova, Romania
    Hello,

    Thank you for your answer.
    And this should restrict the access to whm ONLY for root?
    I don't want the other users/resellers to be affected.
     
  7. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    No, it will restrict WHM access period. You will need to add the IPs for the Resellers in Host Access Control for them to access WHM.

    I don't know what other users you mean here. It doesn't restrict cPanel access, only WHM, and the only kinds of users that exist for WHM access are root and Reseller (even a Reseller with root privileges is still a Reseller user as the user is setup in Reseller Center, which by definition makes them a Reseller).
     
    #8 Miraenda, Jul 8, 2010
    Last edited: Jul 8, 2010
  8. cosminm

    cosminm Member

    Joined:
    Jul 7, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Craiova, Romania
    Thank you, this is the answer I was looking for! So there isn't a solution for what I want. I am new to cpanel/whm and used to Plesk, wich has feature called "Control Panel Access". Well, ok, thank you for clarifying, have a nice day!
     
  9. Miraenda

    Miraenda Well-Known Member

    Joined:
    Jul 28, 2004
    Messages:
    242
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Coralville, Iowa USA
    You're welcome and I'm sorry that the existing options for Host Access Control don't allow this functionality.
     
  10. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    This issue looks like it will be best addressed by the Security Policy functionality we are introducing in 11.26 (currently designated 11.25.1).

    You can monitor the progress of this implementation at http://go.cPanel.net/progress
     
  11. cosminm

    cosminm Member

    Joined:
    Jul 7, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Craiova, Romania
    Thank you for the info. I see horde will be upgraded too, wich is great :) i was waiting for this new look of it.
     
  12. sierrablue

    sierrablue Member

    Joined:
    Aug 30, 2005
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    As of "11.25.0-RELEASE_46156" Host Access Control does not support CIDR notations. Netmasking only.

    Hence 74.74.0.0/16 -> 74.74.0.0/255.255.0.0
     
  13. TheHeartSmasher

    TheHeartSmasher Active Member

    Joined:
    Jul 14, 2006
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    For this I would also recommend adding the following option and store security questions and answers as encrypted values or have the ability to disable this option. As the secret question is now becoming a problem due to it being the same thing for many services and easier to guess by social engineering then a password is now.

    New security feature(s):
    1. When a user logs in check their IP address, if it is not on a whitelist that the user has setup send an email to their email account with a description of the login and a link to add that IP to their whitelist. But only show this after the proper credentials have been used (username and password).

    Example:
    2. Have a list of cPanel,WHM, FTP, SFTP/SSH logins in the Security Center (label it Login Logs) for the system administrators. Maybe having an option to clear the logs after x amount of months but nothing set by default.

    3.For the clients cPanel allow them to view all logins to their account and not prune these records.

    If these logs are large, add the ability to have a cron run at regular intervals to query this information and store it in a database.
     
    #14 TheHeartSmasher, Jul 21, 2010
    Last edited: Jul 21, 2010
  14. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,476
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Important cPanel/WHM Version Number Designation Change

    Please Note: Important cPanel/WHM Version Number Designation Change

    As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

    Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

    These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

    An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
    Important cPanel/WHM Version Number Designation Change (To be updated)

    This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
     
  15. sunardi

    sunardi Registered

    Joined:
    May 18, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Need advise on /etc/hosts.allow, please

    Hi,

    I am trying to limit access for my vps, centos 5.x 32bit with Current cPanel,
    and I did modified my /etc/hosts.allow below but I do not know whether it is
    correctly running or not as I did check /var/log/secure and /var/log/messages
    but no trace of hosts.allow messages

    Please kindly help and correct me, your help would be highly appreciated, TIA!

    Best Regards,
    Sunardi


    #
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #
    # The portmap line is redundant, but it is left to remind you that
    # the new secure portmap uses hosts.deny and hosts.allow. In particular
    # you should know that NFS uses portmap!
    #
    # hosts.allow This file describes the names of the hosts which are
    # allowed to use the local INET services, as decided
    # by the '/usr/sbin/tcpd' server.
    #
    ALL : my.internet.ip : allow
    ALL : KNOWN : RFC931 12 : umask 022
    ALL : PARANOID : RFC931 12 : deny
    ALL : UNKNOWN : RFC931 12 : deny
    ALL : bad.host : deny
    ALL : 127.0.0.1 : allow
    cpaneld : localhost : user root.cpanel : allow
    cpaneld : ALL : deny
    domain : localhost : user named.named : allow
    domain : ALL : deny
    imap : localhost : user mailnull.mail : allow
    imap : ALL : deny
    mysql : localhost : user root.mysql : allow
    mysql : ALL : deny
    pop3 : localhost : user mailnull.mail : allow
    pop3 : ALL : deny
    smtp : localhost localdomain : user root.mail : allow
    smtp : ALL : deny
    whostmgrd : localhost : user root.cpanel : allow
    whostmgrd : ALL : deny
    cpdavd : ALL : deny
    ftp : ALL : deny
    postgresql : ALL : deny
    snmp : ALL : deny
    sshd : ALL : deny
    telnet : ALL : deny
    ALL : ALL : deny
     
  16. rouhost

    rouhost Registered

    Joined:
    Mar 17, 2008
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    0
    My problems is

    I`m blocked with sshd too !!

    what should I do ?
     
  17. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Login to WHM if you are able to access WHM and remove ssh restriction for your IP from Main >> Security Center >> Host Access Control
     
  18. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you are unable to access WHM and sshd, then someone with physical access to the machine will need to log into it to remove the /etc/hosts.allow lines for sshd that are preventing access.
     
Loading...

Share This Page