Introduction
This guide provides a basic example for configuring access rules in the Host Access Control interface of WHM. Please see the official documentation for the full details about how this feature functions.
cPanel Docs - Host Access Control
Procedure
IMPORTANT: You must ensure that you already know how to access your server via console before editing in this interface. It is possible to completely block yourself from accessing the server if this interface is configured incorrectly. In the event that you have completely blocked yourself from accessing the server, console access to the server would be required to regain access. Obtaining and making use of console access is not supported by cPanel because it is configured and provided by your hosting provider or systems administrator.
What does "console access" mean ?
If you do need to remove the rules that are blocking your access while you are logged in with console access, the process is different depending on what operating system you are on.
For CentOS 7, CloudLinux 7, RHEL 7 and earlier versions, you would need to remove the rules from the following file. This can be done with the text editor of your choice. There is no need to restart any services after editing the file.
/etc/hosts.allow
For AlmaLinux 8, CentOS 8, and CloudLinux 8 you must edit the NFT firewall rules. This can be a complex task and must be done by a systems administrator with the skills, training, and expertise required to do so for you.
The following steps will block access to WHM for all IP addresses except the specific IPs that you allow.
- Ensure that you can access the server via Console before starting this process
- Login to the server via WHM as the root user
- Navigate to: Home »Security Center »Host Access Control
- Remove all existing rules unless you know exactly how the existing rules will interact with the rules oultined in this guide
- You may optionally leave in the cPanel Support Access rule for SSHD at the top if you would like to ensure that cPanel support analysts can easily access the server if you open a ticket. If you remove this rule, then you many need to make manual edits to the host access control interface when opening a ticket with cPanel support.
- Add your desired rules in the following format. Be sure to replace the actual IP addresses and comments with your own.
Daemon Access List Action Comment whostmgrd xxx.xxx.xxx.xxx ALLOW The IP xxx.xxx.xxx.xxx will be allowed to access the whostmgrd deamon, which is what provides the WHM interface whostmgrd yyy.yyy.yyy.yyy ALLOW The IP yyy.yyy.yyy.yyy will be allowed to access WHM whostmgrd [ef82::1a12:1234:1b12] ALLOW Please note that IPv6 addresses must be contained within brackets. whostmgrd ALL DENY All IPs that are not explicitly allowed above this rule will be blocked from WHM. - Scroll to the bottom of the page and click the blue button that says "Save Host Access List"