The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WHM / cPanel Login suggestion - display login only to approved IPs

Discussion in 'Security' started by scanreg, Feb 12, 2012.

  1. scanreg

    scanreg Member

    Joined:
    Jan 21, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    would be cool if whm/cpanel login screens could first do a lookup of approved IPs and then if you're on the approved list only then is the login displayed, otherwise 404

    if you lose your pwd, could do some sort of recovery through the server/acct main email and maybe answer security questions or something
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. scanreg

    scanreg Member

    Joined:
    Jan 21, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    If I get this right, you can put your own IP on the allowed list, but you still have to continuously build the deny list

    Rather, for login, I'd like to have an allowed list but all other IPs are denied, even if they are not on a deny list
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    For Host Access Control, you can do a deny for all IPs but your own IP(s) (your IP(s) would need to be set for allow before the deny all), which then disallows access to whatever service you select for all IPs but yours.

    You do not have to continuously build the deny list using WHM's Host Access Control area.
     
  5. scanreg

    scanreg Member

    Joined:
    Jan 21, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Ah, interesting :)

    I'm not really familiar with the deeper WHM/cpanel settings

    1. Can the Host Access Control be adjusted through WHM or cpanel? (versus a direct file edit)

    2. Is it adjusted through WHM or through cPanel?

    3. Do you mean that if a non-approved IP is logged in it still wouldn't be able to edit any of the files or services? In other words, it wouldn't be blocked from logging in but would be blocked from messing with settings and files? They might still be able to view settings though, right?

    Thanks very much
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    1 and 2 - It can only be adjusted through WHM or by editing /etc/hosts.allow file
    3 - If a non-approved IP tries to log into a service that the IP is denied, that IP cannot log into the service. Services that can be blocked are whostmgrd (WHM), cpaneld (cPanel) and sshd (SSH) as some examples.

    Please feel free to log into your WHM and click on Host Access Control area to see what it looks like, and let us know if you have further questions on it after you've had a look around :)
     
  7. scanreg

    scanreg Member

    Joined:
    Jan 21, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the specifics, nice

    So, regarding the example given in Host Access Control:

    Daemon Access List Action Comment
    sshd 192.168.0.0/255.255.255.0 allow Allow local SSH access
    sshd 198.66.254.254 allow Allow SSH from my specific IP
    sshd ALL deny Deny access from all other IPs

    If you did exactly the above in the above order given (but changing the IP on the second line to the IPs that you wanted to allow to login), then you would be allowing only local access and 198.66.254.254 access via SSH, but all others would be denied, do I get it?

    Does this limit all access to just WHM, or does it apply to all cpanel account logins too?

    I really appreciate your help, it would be great to configure this.

    Thanks
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    For the example given, it limits sshd access only as sshd is the daemon listed. If you want WHM access to be limited, you'd instead entry lines about whostmgrd for the daemon.

    Next, if you did the exact same in the order given with the allow entries first, then you'd be allowing the IPs listed. You do not need to allow local access as, once you are local to the machine, you are already logged into it and do not need to be allowed. Simply allow the IP(s) you'll be using to connect to the service from any systems you have that have static IPs.

    Thanks!
     
  9. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    Host Access Control is a very powerful feature but where do we customize the HTTP error 401 page ?
     
  10. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    Where do we customize the HTTP error 401 page for Host Access Control ?
     
Loading...

Share This Page