Page tree
Skip to end of metadata
Go to start of metadata

This document is for a previous release of cPanel & WHM. To view our latest documentation, visit our Home page.

For cPanel & WHM 11.42

(Home >> Security Center >> Host Access Control)

Overview

You can use the Host Access Control feature to allow or deny clients' access, based on the IP address, to the following services:

Daemon NameService Name
cpaneldcPanel
whostmgrdWHM
webmaildWebmail
cpdavdWebDisk

Allow access for an IP address

To allow an IP address to access a service, perform the following steps:

  1. Enter the service name in the daemon text box. As you type, a list of suggestions will appear.
  2. Enter the IP address or hostname in Access List text box. 
    • You may enter wildcards in this text box.
    • You cannot enter a range of IP addresses with CIDR notation.
    • To specify a network range, add /255.255.255.0 to the IP address.
      • For example, 192.168.0.0/255.255.255.0, where 255.255.255.0 is the desired network mask you want to use.
  3. Enter allow in the Action text box.
  4. Describe the rule in the Comment text box.
  5. Click Save Host Access List.
    • Click Reload to delete any changes.

Note:

You can also enter ALL EXCEPT IP address in the Access List text box. When you enter allow as your action, all of the addresses except for the one that you entered in the Access List will be allowed.

For more information on this option, see the Notes and Additional Documentation sections below.

Deny access from an IP address

To deny access to a service from an IP address, perform the following steps:

  1. Enter the service name in the daemon text box. As you type, a list of suggestions will appear.
  2. Enter the IP address or hostname in Access List text box.
    • You may enter wildcards in this text box.
    • You cannot enter a range of IP addresses with CIDR notation.
    • To specify a network range, add /255.255.255.0 to the IP address.
      • For example 192.168.0.0/255.255.255.0, where 255.255.255.0 is the desired network mask you want to use.
  3. Enter deny in the Action text box.
  4. Describe the rule in the Comment text box.
  5. Click Save Host Access List.
    • Click Reload to delete any changes.

Note:

You can also enter ALL EXCEPT IP address in the Access List text box. When you enter deny as your action, all of the addresses except for the one that you entered in the Access List will be denied.

For more information on this option, see the Notes and Additional Documentation sections below.

Warning:

If you accidentally lock yourself out of WHM when you use Host Access Control, edit the /etc/hosts.allow file through the command line to unlock yourself.

Allow or deny IP addresses manually

For greater host access control flexibility, you can create rules in the command line. To do this, perform the following steps:

  1. Log in to your server as root.
  2. Open the /etc/hosts.allow file with your preferred text editor.
  3. Follow this format: service : IP address : action.
    • For example: cpaneld : 192.168.0.0 : allow

Note:

When you configure your firewall directly, you can use CIDR notation.

On a CentOS or Red Hat Enterprise LInux® system, you can use the  iptables  utility to manage your firewall.

  • You can block a specific IP address on CentOS with iptables.
    • For example, to block 192.168.56.210, run the iptables -A INPUT -s 192.168.56.210 -j DROP command.
  • You can block a specific port for an IP address
    • For example, to block port 23 on 192.168.56.210, run the iptables -A INPUT -s 192.168.56.210 -p tcp --destination-port 23 -j DROP command.

Note:

WHM does not use a hosts.deny file. Deny statements should be added to the /etc/hosts.allow file.

Additional notes

You must enter your allow rules before your deny rules. For example, if you choose to allow access for two IP addresses, but you want to deny access from all other addresses, you can do either of the following:

  1. Create two separate rules:
    • Create one rule that allows 192.168.0.0/255.255.255.0
    • Create a second rule that denies access to ALL IP addresses.
  2. Create one rule:
    • Enter all except 192.168.0.0/255.255.255.0 in the Access List text box.
    • Enter deny in the Action text box.

Additional documentation