Restrict WHM Access by IP

LGRCompEnt

Registered
Apr 11, 2005
4
0
151
I tried searching on Google and here but did not find a way to do this yet. Is it possible to restrict access to WHM by IP address? Only allowing IP's from my country/state and denying all other world IP's?

Thanks
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
I tried searching on Google and here but did not find a way to do this yet. Is it possible to restrict access to WHM by IP address? Only allowing IP's from my country/state and denying all other world IP's?

Thanks
One way I can think of doing this is using Host Access Control in the WHM interface.

In case you lock yourself out accidentally, realize this is just a GUI for /etc/hosts.allow and /etc/hosts.deny
 

Xavior82

Active Member
PartnerNOC
Oct 5, 2006
30
0
156
Montreal
Locking down CPanel / WHM

Hi,

I would like to be able to lock down all CPanel / WHM accesses having root priviledges by limiting access to specific IP addresses.

Most solutions I've seen posted online are either vague or involve configuring firewall rules, which I'm guessing will apply to ALL cpanel / WHM accesses on that server instead of only the root CPanel/WHM accesses. I would be particularly interested in a solution implemented at the application level instead of the server configuration level. So any advice on this would be much appreciated!

Thanks.
 

cosminm

Member
Jul 7, 2010
5
0
51
Craiova, Romania
Hello,

I'm looking for the same solution, to limit root access to whm just to a specific IP/subnet. No luck yet. Any advice would be greatly appreciated.
Thank you!
 

Miraenda

Well-Known Member
Jul 28, 2004
243
5
168
Coralville, Iowa USA
cPanel Access Level
Root Administrator
You can do this in Host Access Control area in WHM. It's the easier way to do it and pretty straightforward to setup.

Simply put the following into WHM > Host Access Control area:

Code:
Daemon     Access List   Action  	Comment
whostmgrd  YourIP        allow
whostmgrd  all           deny
The allow line(s) must be above the deny ones or else you will block yourself out of WHM on the machine and need to edit /etc/hosts.allow in root SSH to unlock WHM. You can put a range for the IP section as well, so 74.74.74.0/24 if your IP were in the 74.74.74.1-74.74.74.254 range. If you had an even larger dynamic range, you could do 74.74.0.0/16 to handle it where 74.74 is the first two octets of the IP range.
 

Miraenda

Well-Known Member
Jul 28, 2004
243
5
168
Coralville, Iowa USA
cPanel Access Level
Root Administrator
No, it will restrict WHM access period. You will need to add the IPs for the Resellers in Host Access Control for them to access WHM.

I don't know what other users you mean here. It doesn't restrict cPanel access, only WHM, and the only kinds of users that exist for WHM access are root and Reseller (even a Reseller with root privileges is still a Reseller user as the user is setup in Reseller Center, which by definition makes them a Reseller).
 
Last edited:

cosminm

Member
Jul 7, 2010
5
0
51
Craiova, Romania
Thank you, this is the answer I was looking for! So there isn't a solution for what I want. I am new to cpanel/whm and used to Plesk, wich has feature called "Control Panel Access". Well, ok, thank you for clarifying, have a nice day!
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Hello,

Thank you for your answer.
And this should restrict the access to whm ONLY for root?
I don't want the other users/resellers to be affected.
This issue looks like it will be best addressed by the Security Policy functionality we are introducing in 11.26 (currently designated 11.25.1).

You can monitor the progress of this implementation at http://go.cPanel.net/progress
 

TheHeartSmasher

Active Member
Jul 14, 2006
28
0
151
This issue looks like it will be best addressed by the Security Policy functionality we are introducing in 11.26 (currently designated 11.25.1).

You can monitor the progress of this implementation at Software Releases - cPanel Inc.
For this I would also recommend adding the following option and store security questions and answers as encrypted values or have the ability to disable this option. As the secret question is now becoming a problem due to it being the same thing for many services and easier to guess by social engineering then a password is now.

New security feature(s):
1. When a user logs in check their IP address, if it is not on a whitelist that the user has setup send an email to their email account with a description of the login and a link to add that IP to their whitelist. But only show this after the proper credentials have been used (username and password).

Example:
Attention [username],

An attempt to login to your account from the following address was not allowed due to the address not being on your whitelist.

IP:
1.2.3.4

Hostname:
4.2.3.1.hostname.com

To authorize the IP to login to your account please use the following link:
https://example.com:2083/authorize/...537D92DA8F68BC11174DBDBE437E91D21B54E8D1F1AC6

If this is an unauthorized iP please contact support and report the issue.
2. Have a list of cPanel,WHM, FTP, SFTP/SSH logins in the Security Center (label it Login Logs) for the system administrators. Maybe having an option to clear the logs after x amount of months but nothing set by default.

3.For the clients cPanel allow them to view all logins to their account and not prune these records.

If these logs are large, add the ability to have a cron run at regular intervals to query this information and store it in a database.
 
Last edited:

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Important cPanel/WHM Version Number Designation Change

Please Note: Important cPanel/WHM Version Number Designation Change

As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
Important cPanel/WHM Version Number Designation Change (To be updated)

This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
 

sunardi

Registered
May 18, 2006
1
0
151
Need advise on /etc/hosts.allow, please

Hi,

I am trying to limit access for my vps, centos 5.x 32bit with Current cPanel,
and I did modified my /etc/hosts.allow below but I do not know whether it is
correctly running or not as I did check /var/log/secure and /var/log/messages
but no trace of hosts.allow messages

Please kindly help and correct me, your help would be highly appreciated, TIA!

Best Regards,
Sunardi


#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL : my.internet.ip : allow
ALL : KNOWN : RFC931 12 : umask 022
ALL : PARANOID : RFC931 12 : deny
ALL : UNKNOWN : RFC931 12 : deny
ALL : bad.host : deny
ALL : 127.0.0.1 : allow
cpaneld : localhost : user root.cpanel : allow
cpaneld : ALL : deny
domain : localhost : user named.named : allow
domain : ALL : deny
imap : localhost : user mailnull.mail : allow
imap : ALL : deny
mysql : localhost : user root.mysql : allow
mysql : ALL : deny
pop3 : localhost : user mailnull.mail : allow
pop3 : ALL : deny
smtp : localhost localdomain : user root.mail : allow
smtp : ALL : deny
whostmgrd : localhost : user root.cpanel : allow
whostmgrd : ALL : deny
cpdavd : ALL : deny
ftp : ALL : deny
postgresql : ALL : deny
snmp : ALL : deny
sshd : ALL : deny
telnet : ALL : deny
ALL : ALL : deny
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
If you are unable to access WHM and sshd, then someone with physical access to the machine will need to log into it to remove the /etc/hosts.allow lines for sshd that are preventing access.