Help with locking WHM URL access visibility to the (hostname) domain
Is there a way to make it so WHM can only be accessed through a single domain? Specifically the server "hostname"?
Any addon or parked domain on the server can simply have /whm added to the end to bring up the WHM login. I want to lock it down so that only the server hostname [domain] (and hostname IP) actually serve the WHM pages.
I'm surprised this isn't already a thing by default for security reasons: "Lets open it wide up to all the hackers so they have easy access to the WHM login screen..." In other words, if a hacker finds out they can do /cpanel or :2083 on the domain, they can just as easily do /whm or :2087.
Am I just being paranoid?
This is not the same question others have posted about limiting WHM to a single incoming IP. I'm not trying to whitelist an incoming IP. I want to blacklist all domains except the primary server hostname from being able to display /whm. All domains except the hostname would simply give a 403 or 404 error when accessing /whm
(also assume the whm port numbers when reading /whm)
-
There's no native way to do this, and it isn't done normally because resellers will typically access their WHM with their domain name. Either way a hacker finding the login screen wouldn't grant access automatically and with just the minimal protection of brute force protection you are relatively secure, though this is why most people choose to lock WHM down to 1 IP or a group of IP's - removing their ability to even reach WHM to begin with. 0 -
As per @cPanelLauren locking WHM down to a handful of IP's is probably the way to go. I think this should work Using Host access control, allow your own IP (and any trusted others) against the WHM service. Then as a final entry, deny all against WHM You need to ensure that your allow entries are before the deny entry 0 -
Thanks for the feedback. I didn't think about the reseller aspect as I am the sole user of the server, so it makes sense to keep it open from a reseller perspective. That said, since I am the only one managing the server, I hoped to lock out unnecessary ways to access the server. I probably won't go the IP whitelist route simply because the overhead of maintaining dynamic IPs (rotating ISP IPs) is too great. 0
Please sign in to leave a comment.
Comments
3 comments