The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What will you do if you locked out yourself from whm & cpanel?

Discussion in 'Security' started by ZMACKs, Aug 15, 2014.

  1. ZMACKs

    ZMACKs Member

    Joined:
    Jul 31, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello guys,

    I'm going to restrict access to WHM & cPanel for my static IP only. I'm wondering, what should I do if I accidentally locked out myself? because sometimes I have downtime with my broadband provider, so I won't be able to access the internet through my static IP. Is there is any other way, through ssh maybe to remove that lock?

    Thank you in advance :)
     
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    If you're using host access control, then per https://documentation.cpanel.net/display/ALD/Host+Access+Control

    So, if you want to retain access to ssh for this purpose, make sure you haven't denied access to sshd in hosts.allow or hosts.deny

    There are alternative approaches, if you're using CSF / iptables you can firewall off WHM / cPanel / sshd ports to only your trusted IPs with specific rules, CSF also supports port knocking for unlocking specific ports in an emergency, see section 20 of http://configserver.com/free/csf/readme.txt Yet another approach would be to use a dynamic DNS hostname along with specific rules ( tcp|in|d=22|s=this.hostnamefollowsme.com )

    All have their up and downsides. You don't mention if this is a VPS or a dedi, but ideally you'd have access to either console or kvm access to save your bacon in the case of something going completely wrong, that'll depend on your provider though :)
     
  3. ZMACKs

    ZMACKs Member

    Joined:
    Jul 31, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you for your reply,

    What I've done is that I added my IP in the csf.allow, and then removed WHM, cPanel & Webmail services' ports from the TCP_IN. I'm not sure what I will do when I get locked out due to internet connection problems and my IP changed. Is there is a command line to reset the TCP_IN to defaults? or to add the removed ports?

    Many thanks :)
     
  4. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    It is not enough to add IPs to "csf.allow" you can be blocked, look here:

    ConfigServer.Com Technical FAQ - cPanel Server Management

    The best way is to use SSH to login with keys and you'll never have problems.

    If your IP is changed (dynamic not static) you can create a bash script who will check inside your main account (cpanel account) (on cron) for 2 txt files:

    1. where you put inside your IP that have to be white listed, will be append to csf.allow / csf.ignore;
    2 . where you put inside your IP that have to be removed from white listed, will be removed from csf.allow / csf.ignore;

    So like this you can add or remove the ip from white list without accessing WHM or in a case that you are blocked.

    This is just one idea but can be more, and more complex.

    Regards
     
    #4 georgeb, Aug 17, 2014
    Last edited: Aug 17, 2014
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Yes, ideally you should have console or KVM access if this is a dedicated server. This way you can always enable/disable services or allow IP addresses in the event your server is unresponsive or has locked you out.

    Thank you.
     
Loading...

Share This Page