Configure Security Policies
Valid for versions 90 through the latest version
Version:
90
Last modified: June 13, 2024
Looking for this interface?
Your hosting provider can enable or disable this interface for resellers in WHM's Edit Reseller Nameservers and Privileges interface (WHM >> Home >> Resellers >> Edit Reseller Nameservers and Privileges).
Overview
The Configure Security Policies interface allows you to configure your security policy settings and security policy extensions.
- When you attempt to log in from an unverified IP address and successfully answer your security questions, the system automatically adds the IP address to the list of verified IP addresses.
- If you configure your own security questions, the system automatically adds your IP address to the list of verified IP addresses.
Security Policy Items
Select the following checkboxes to help secure your server:
-
Limit logins to verified IP addresses — This setting determines whether to require users to answer security questions when they log in to their cPanel, Webmail, and WHM accounts from unverified IP addresses.
Notes:- When a user successfully answers the required security questions, the system automatically adds the user’s current IP address to the list of verified IP addresses.
- WHM users can add verified IP addresses and configure security questions in WHM’s Security Questions interface (WHM » Home » Security Center » Security Questions).
- After you enable this setting, cPanel users can add verified IP addresses and configure security questions in cPanel’s Security Policy interface (cPanel » Home » Security » Security Policy).
-
Two-Factor Authentication: Google Authenticator — This setting determines whether to require users to additionally enter a generated security code from a time-based one-time password (TOTP) app on a smartphone.
Note:To configure the two-factor authentication settings, use WHM’s Two-Factor Authentication interface (WHM » Home » Security Center » Two-Factor Authentication).
-
Password Strength — This setting enforces a minimum password strength for cPanel, Webmail, and WHM users.
Note:To modify the minimum password strength, use WHM’s Password Strength Configuration interface (WHM » Home » Security Center » Password Strength Configuration).
-
Password Age — This setting allows you to specify the number of days to allow cPanel, Webmail, and WHM users to use the same password. When you select this checkbox, the Maximum password age (in days) text box appears. Enter the maximum number of days to allow users to use the same password.
Security Policy Extensions
The Security Policy Extensions settings apply your security policy to WHM API requests and DNS cluster requests.
- When you enable the Security Policy Extensions settings for remote APIs and DNS cluster requests, issues will be hard to diagnose. We recommend you do not enable these extensions unless you fully understand your remote API usage and DNS cluster configuration.
- We strongly recommend you do not enable these settings if you enable two factor authentication.
Enable the following settings to help secure your server:
-
API requests — Select this checkbox to apply the Security Policy Items settings to WHM API requests. If you enable this setting, the policies that you set apply to any user who attempts to call a WHM API function.
-
DNS Cluster requests — Select this checkbox to apply the Security Policy Items settings to DNS cluster requests. If you enable this setting, the policies that you set apply to any user who attempts to make a DNS cluster request.
Allow access without security questions via SSH
You can manually disable the need for security questions when logging in from a trusted IP. This is useful when the answers to the security questions are not available. To do so, perform the following steps:
- Use SSH to log in to your server as the
root
user. - Open the
/var/cpanel/userhomes/cpanel/.cpanel/securitypolicy/iplist/root
file in your preferred text editor. - Add the public IP from which you will be logging in.
- Save and exit the file.
After this you will be able to log in from that IP as root
without questions.