Documentation Home> AllDocumentation/WHMDocs>WHMHomeScreen>WhmSecurityEditAttach

Host Access Control

For WHM version 11.38

(Home >> Security Center >> Host Access Control)

Overview

The Host Access Control screen allows you to allow or deny access to services by IP address. You can create rules that specify individual services with which you will allow IP addresses to interact.

For example, here are some services to which you can restrict access:

Daemon Name Service Name
cpaneld cPanel
whostmgrd WHM
webmaild Webmail
cpdavd WebDAV/WebDisk
ftp FTP
sshd SSH

note Note: The ranges of addresses in these rules must use wildcards (192.168.0.*) instead of CIDR notation (192.168.0.1/24).

Changes to the Host Access Control screen are stored in the /etc/hosts.allow and /etc/hosts.deny files on your server.

note Note — If you wish to allow or deny access to individual sites, use the IP Deny Manager within each site's cPanel interface.

How to block an IP address

To block a service by IP address:

  1. Enter the service’s name in the Daemon field.
    • note Note: As you type, a list of matching suggestions will appear.
  2. Enter the IP address or hostname under Access List.
    • note Note: You may enter wildcards in this field. However, you cannot enter a range of IP addresses using CIDR notation. The field recognizes IP address/netmask pairs such as the following: 192.168.0.0/255.255.255.0
  3. Enter an action under Action.
    • note Note: Allow and deny are the only valid input values for this field.
  4. Describe the rule under Comment.
    • note Note: When you use the "allow from a few IP addresses; then deny from all" technique, you must enter the allow rules before the deny rules. You can also use ALL EXCEPT 192.168.0.20 as an Access List which will allow all IP addresses except 192.168.0.20.
  5. Click Save Host Access List at the bottom of the page.
    • You may delete any changes that you have made to the entry fields by clicking Reload.

note Note: If you accidentally lock yourself out of the server, edit /etc/hosts.allow via the console to unlock the server.

How to configure your Firewall

For greater flexibility with host access control, you can configure your firewall directlyWhen specifying which IP addresses can access your server, you can gain some flexibility by configuring your firewall.

To configure your firewall directly, you will need to log into your server as the root user.

On a CentOS or RedHat Enterprise LInux® system, you can use the iptables utility to manage your firewall.

note Note: Both of these utilities can accept CIDR notation.

How to configure a firewall on a CentOS or RedHat server

If you wish to block 192.168.0.20 on CentOS using iptables, you could use the following command: 

iptables -A INPUT -s 192.168.0.20 -j DROP

If you want to block the same IP address from accessing port 23, you could use: 

iptables -A INPUT -s 192.168.56.210 -p tcp --destination-port 23 -j DROP

Are you still having difficulties?

There are several utilities available in our application catalog that can help you manage your firewall.

Edit | Attach | Print version | History: r15 < r14 < r13 < r12 < r11 | Backlinks | Raw View | More topic actions
Topic revision: r15 - 02 Apr 2013 - 18:14:08 - Main.ColinShannon