I tried searching on Google and here but did not find a way to do this yet. Is it possible to restrict access to WHM by IP address? Only allowing IP's from my country/state and denying all other world IP's?
Thanks
Thanks
One way I can think of doing this is using Host Access Control in the WHM interface.
In case you lock yourself out accidentally, realize this is just a GUI for /etc/hosts.allow and /etc/hosts.deny
Locking down CPanel / WHM
Hi,
I would like to be able to lock down all CPanel / WHM accesses having root priviledges by limiting access to specific IP addresses.
Most solutions I've seen posted online are either vague or involve configuring firewall rules, which I'm guessing will apply to ALL cpanel / WHM accesses on that server instead of only the root CPanel/WHM accesses. I would be particularly interested in a solution implemented at the application level instead of the server configuration level. So any advice on this would be much appreciated!
Thanks.
Hi,
I would like to be able to lock down all CPanel / WHM accesses having root priviledges by limiting access to specific IP addresses.
Most solutions I've seen posted online are either vague or involve configuring firewall rules, which I'm guessing will apply to ALL cpanel / WHM accesses on that server instead of only the root CPanel/WHM accesses. I would be particularly interested in a solution implemented at the application level instead of the server configuration level. So any advice on this would be much appreciated!
Thanks.
Hello,
I'm looking for the same solution, to limit root access to whm just to a specific IP/subnet. No luck yet. Any advice would be greatly appreciated.
Thank you!
I'm looking for the same solution, to limit root access to whm just to a specific IP/subnet. No luck yet. Any advice would be greatly appreciated.
Thank you!
You can do this in Host Access Control area in WHM. It's the easier way to do it and pretty straightforward to setup.
Simply put the following into WHM > Host Access Control area:
The allow line(s) must be above the deny ones or else you will block yourself out of WHM on the machine and need to edit /etc/hosts.allow in root SSH to unlock WHM. You can put a range for the IP section as well, so 74.74.74.0/24 if your IP were in the 74.74.74.1-74.74.74.254 range. If you had an even larger dynamic range, you could do 74.74.0.0/16 to handle it where 74.74 is the first two octets of the IP range.
Simply put the following into WHM > Host Access Control area:
Code:
Daemon Access List Action Comment
whostmgrd YourIP allow
whostmgrd all denyHello,
Thank you for your answer.
And this should restrict the access to whm ONLY for root?
I don't want the other users/resellers to be affected.
Thank you for your answer.
And this should restrict the access to whm ONLY for root?
I don't want the other users/resellers to be affected.
No, it will restrict WHM access period. You will need to add the IPs for the Resellers in Host Access Control for them to access WHM.
I don't know what other users you mean here. It doesn't restrict cPanel access, only WHM, and the only kinds of users that exist for WHM access are root and Reseller (even a Reseller with root privileges is still a Reseller user as the user is setup in Reseller Center, which by definition makes them a Reseller).
I don't know what other users you mean here. It doesn't restrict cPanel access, only WHM, and the only kinds of users that exist for WHM access are root and Reseller (even a Reseller with root privileges is still a Reseller user as the user is setup in Reseller Center, which by definition makes them a Reseller).
Last edited:
Thank you, this is the answer I was looking for! So there isn't a solution for what I want. I am new to cpanel/whm and used to Plesk, wich has feature called "Control Panel Access". Well, ok, thank you for clarifying, have a nice day!
You're welcome and I'm sorry that the existing options for Host Access Control don't allow this functionality.
This issue looks like it will be best addressed by the Security Policy functionality we are introducing in 11.26 (currently designated 11.25.1).
You can monitor the progress of this implementation at http://go.cPanel.net/progress
Thank you for the info. I see horde will be upgraded too, wich is great 
i was waiting for this new look of it.
i was waiting for this new look of it.As of "11.25.0-RELEASE_46156" Host Access Control does not support CIDR notations. Netmasking only.
Hence 74.74.0.0/16 -> 74.74.0.0/255.255.0.0
For this I would also recommend adding the following option and store security questions and answers as encrypted values or have the ability to disable this option. As the secret question is now becoming a problem due to it being the same thing for many services and easier to guess by social engineering then a password is now.
New security feature(s):
1. When a user logs in check their IP address, if it is not on a whitelist that the user has setup send an email to their email account with a description of the login and a link to add that IP to their whitelist. But only show this after the proper credentials have been used (username and password).
Example:
2. Have a list of cPanel,WHM, FTP, SFTP/SSH logins in the Security Center (label it Login Logs) for the system administrators. Maybe having an option to clear the logs after x amount of months but nothing set by default.
3.For the clients cPanel allow them to view all logins to their account and not prune these records.
If these logs are large, add the ability to have a cron run at regular intervals to query this information and store it in a database.
Last edited:
Infopro
Well-Known Member
Important cPanel/WHM Version Number Designation Change
Please Note: Important cPanel/WHM Version Number Designation Change
As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.
Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.
These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.
An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
Important cPanel/WHM Version Number Designation Change (To be updated)
This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
Please Note: Important cPanel/WHM Version Number Designation Change
As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.
Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.
These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.
An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
Important cPanel/WHM Version Number Designation Change (To be updated)
This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
Need advise on /etc/hosts.allow, please
Hi,
I am trying to limit access for my vps, centos 5.x 32bit with Current cPanel,
and I did modified my /etc/hosts.allow below but I do not know whether it is
correctly running or not as I did check /var/log/secure and /var/log/messages
but no trace of hosts.allow messages
Please kindly help and correct me, your help would be highly appreciated, TIA!
Best Regards,
Sunardi
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL : my.internet.ip : allow
ALL : KNOWN : RFC931 12 : umask 022
ALL : PARANOID : RFC931 12 : deny
ALL : UNKNOWN : RFC931 12 : deny
ALL : bad.host : deny
ALL : 127.0.0.1 : allow
cpaneld : localhost : user root.cpanel : allow
cpaneld : ALL : deny
domain : localhost : user named.named : allow
domain : ALL : deny
imap : localhost : user mailnull.mail : allow
imap : ALL : deny
mysql : localhost : user root.mysql : allow
mysql : ALL : deny
pop3 : localhost : user mailnull.mail : allow
pop3 : ALL : deny
smtp : localhost localdomain : user root.mail : allow
smtp : ALL : deny
whostmgrd : localhost : user root.cpanel : allow
whostmgrd : ALL : deny
cpdavd : ALL : deny
ftp : ALL : deny
postgresql : ALL : deny
snmp : ALL : deny
sshd : ALL : deny
telnet : ALL : deny
ALL : ALL : deny
Hi,
I am trying to limit access for my vps, centos 5.x 32bit with Current cPanel,
and I did modified my /etc/hosts.allow below but I do not know whether it is
correctly running or not as I did check /var/log/secure and /var/log/messages
but no trace of hosts.allow messages
Please kindly help and correct me, your help would be highly appreciated, TIA!
Best Regards,
Sunardi
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL : my.internet.ip : allow
ALL : KNOWN : RFC931 12 : umask 022
ALL : PARANOID : RFC931 12 : deny
ALL : UNKNOWN : RFC931 12 : deny
ALL : bad.host : deny
ALL : 127.0.0.1 : allow
cpaneld : localhost : user root.cpanel : allow
cpaneld : ALL : deny
domain : localhost : user named.named : allow
domain : ALL : deny
imap : localhost : user mailnull.mail : allow
imap : ALL : deny
mysql : localhost : user root.mysql : allow
mysql : ALL : deny
pop3 : localhost : user mailnull.mail : allow
pop3 : ALL : deny
smtp : localhost localdomain : user root.mail : allow
smtp : ALL : deny
whostmgrd : localhost : user root.cpanel : allow
whostmgrd : ALL : deny
cpdavd : ALL : deny
ftp : ALL : deny
postgresql : ALL : deny
snmp : ALL : deny
sshd : ALL : deny
telnet : ALL : deny
ALL : ALL : deny
Login to WHM if you are able to access WHM and remove ssh restriction for your IP from Main >> Security Center >> Host Access Control
If you are unable to access WHM and sshd, then someone with physical access to the machine will need to log into it to remove the /etc/hosts.allow lines for sshd that are preventing access.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| H | Disable WHM terminal access or restrict it by IP? | Security | 8 | |
|
Remove Security Restricted Access for SSH/WHM? | Security | 4 | |
| A | Use a VPN to restrict access to WHM login and SSH | Security | 1 | |
| V | Restrict WHM access | Security | 0 | |
|
WHM Restrict Access | Security | 5 |