Block access to whm.domain.com and cpanel.domain.com
Hi guys,
How do I block access to whm.domain.com and cpanel.domain.com while keeping webmail.domain.com accessible. Additionally, DNS records for autoconfig and autodiscover should remain functional for mail clients.
cPanel's system-level subdomain handling often overrides manual configurations, So my .htaccess blocking isn't working. Looking for the most reliable way to block cpanel and whm subdomains without affecting other services.
-
/scripts/proxydomains --subdomain=whm remove
and
/scripts/proxydomains --subdomain=cpanel remove
1 -
Thanks mate
0 -
Is there a way to block access to WHM subdomain AND port 2087 except for a certain domain.
I have several domains on my cPanel and they can all access WHM via 2087 if they had the root credentials. I have set up a random domain such as kabcbcldnbeinsbxhdj.com and I want this to be the only domain to be able to access port 2087 or WHM as a subdomain.
0 -
Anyone can access WHM using any of the domains in that server or the server's IP address.
"if they had the root credentials"?
It like asking "how to prevent people from coming to my home if they have my keys?"
I'd suggest to use 2FA:
https://docs.cpanel.net/cpanel/security/two-factor-authentication-for-cpanel/0 -
Ok. You can tell I’m new.
Is there a way of only allowing access to WHM or 2086/2087 from only my ip address while blocking it from absolutely any other ip address?
0 -
I tried that. I set deny to ALL and accept to my Macs IP address but I could still access WHM on my mobile that was using mobile data.
0 -
Did you ensure the deny rule was placed after the allow rules?
0 -
Yes, exactly as it shows in the cpanel documentation
0 -
This is one of the core functions of cPanel that "just works" so if that isn't working as expected it would be best to create a ticket so this can be investigated.
0 -
I've just restarted my server and it does appear to be blocking access via port 2087. That's part one sorted.
How can I block access to whm.mydomain.com from all IP addresses except mine?0 -
There isn't going to be a way to do that portion besides removing the proxy domain.
0 -
Could I go to my cpanel and create the sub domain whm.mydomain.com and redirect it my domain.com?
0 -
You could do that after the proxy domains were removed, but if you try it before it will conflict with those proxy service domains.
0 -
I am noticing a lot of server load from /usr/local/cpanel/base/show_template.stor which as I understand it is the result of an attempt to login at cpanel.domain.tdl.
Since I don't allow users cPanel access on this server, I ran
/scripts/proxydomains --subdomain=cpanel remove
which seemed to mitigate the load dramatically.
On checking DNS zones, I discovered that the IP v4 was removed, but not the IP v6. On further testing I find that running the command without --domain= only adds or removes IP v4, and IP v6 is untouched, BUT if a specific domain is specified then it will add or remove both IP v4 and v6. (I'm talking about the shared IP v6 on the server, that is assigned to all accounts.)
cPRex Is this a bug, or a limitation since IP v6 has to be assigned per domain? And is this even the best/correct way to handle this server load issue?
0 -
Where specifically is the load coming from? Are you seeing a lot of login attempts to the page? The existence of the file itself wouldn't be causing the load, so something external would need to be triggering it.
0 -
I believe it is the result of an attempt to login at cpanel.domain.tdl on various accounts.
0 -
It might be best to limit access to the server through a tool like WHM's Host Access Control if you are seeing a large number of logins to the service that shouldn't be happening at all. This would ensure that only designated IP addresses can access the server.
0 -
Unfortunately allowing access from those on a dynamic IP is a necessity.
I know it's not the existence of the file, but it being called coincides with the load, and my understanding it that it's called from cpanel.domain.tld, showing an access attempt. I realize that domain.tld:2083 is still an option even with the cpanal. service domain removed (right?), but it totally stopped the load (so far). I could also block the port via Host Access Control though. I would just turn off all service domains in Tweak Setting, except I do need webmail. to be accessible. Any further thoughts now that I have provided more detail?
Also, can you reply about the possible bug for /scripts/proxydomains --subdomain=cpanel that I described about?
0 -
Yes, if you remove the service subdomain that doesn't stop domain.com:2083 from working normally - the service subdomain is just an easier way for users to remember the URL without having to memorize port numbers, so those could be disabled if you wanted to.
As far as the IPv6 issue, that is a known issue we're tracking in case CPANEL-45676, and I've linked this Forums thread to it as well so I'll be sure to post an update once I have one to share.
1 -
Update - we're hoping to have this resolved in version 136.
1 -
Update - this issue didn't make it to version 136 so we're hoping to get this included in version 138 now.
0
Please sign in to leave a comment.
Comments
22 comments