Host Access Control

Valid for versions 94 through the latest version

Version:

82

92

94


Last modified: January 7, 2021

Overview

Use the Host Access Control interface to allow, reject, or drop access to the following services for specific IP addresses:

  • cPanel
  • WHM
  • Webmail
  • Web Disk
  • FTP
  • SSH
  • SMTP
  • POP3
  • IMAP

To control access in CentOS 8 and CloudLinux 8 servers, you must control service access by port number. For a list of ports and their related services, read the Ports section of the How to Configure Your Firewall for cPanel Services documentation.

You can control access by service in servers that run CentOS 7, CloudLinux 7, and Red Hat® Enterprise Linux® 7 and earlier.

Host Access Control for CentOS 8 and CloudLinux 8

Warning:

If you accidentally lock yourself out of WHM when you use this interface, edit the nft rules through the command line to regain access.

Add a rule

Important:

You must enter your ACCEPT rules before your DROP or REJECT rules.

To add a rule for an IP address range, perform the following steps:

  1. Enter the port number in the Port text box.

  2. Enter the IP address or range in the IP Address/CIDR text box.

    • You may enter wildcards in this text box.

    • You do not need to enclose IPv6 addresses in square brackets ( [ ] ).

    • You cannot enter a range of IPv4 addresses with CIDR notation.

    • To specify a network range, add a network mask to the IP address.

      • IPv4 example: 192.168.0.0/24, where 24 is the desired network mask you want to use.

      • IPv6 example: 2001:0db8:0:0:1:0:0:1/64, where /64 is the desired CIDR-notation network mask you want to use.

  3. Select the TCP protocol or the UDP protocol from the Protocol menu.

  4. Select which action to take for the port from the Action menu.

    • Use the ACCEPT action to allow the IP addresses in the range to access the port.

    • Use the DROP action to block the IP addresses in the range without a rejection message.

    • Use the REJECT action to block the IP addresses in the range with a rejection message.

  5. Click Add Rule to add the rule. The rule will appear in the Current Rules table.

Example

To allow access for two IP addresses, but deny access from all other addresses, use either of the following methods:

  • Create two separate rules:

    • Create one rule that accepts 192.168.0.0/24 or 2001:0db8:0:0:1:0:0:1/64 with the following steps:

      1. Enter the port number in the Port text box.
      2. Enter 192.168.0.0/24 in the IP Address/CIDR text box.
      3. Select the TCP protocol from the Protocol menu.
      4. Select ACCEPT from the Action menu.
      5. Click Add Rule to add the rule. The rule will appear in the Current Rules table.
    • Create a second rule that rejects access to ALL IP addresses with the following steps:

      1. Enter the port number in the Port text box.
      2. Enter ALL IP in the IP Address/CIDR text box.
      3. Select the TCP protocol from the Protocol menu.
      4. Select REJECT from the Action menu.
      5. Click Add Rule to add the rule. The rule will appear in the Current Rules table.
  • Or, create one rule that accepts all except 192.168.0.0/24 or all except 2001:0db8:0:0:1:0:0:1/64 with the following steps:

    1. Enter the port number in the Port text box.
    2. Enter all except 192.168.0.0/24 or all except 2001:0db8:0:0:1:0:0:1/64 in the IP Address/CIDR text box.
    3. Select the TCP protocol from the Protocol menu.
    4. Select ACCEPT from the Action menu.
    5. Click Add Rule to add the rule. The rule will appear in the Current Rules table.

Host Access Control for CentOS 7, CloudLinux 7, and RHEL 7 and earlier versions

Use the Host Access Control to allow or deny (block) access to the following services for specific IP addresses:

  • cPanel (cpaneld)
  • WHM (whostmgrd)
  • Webmail (webmaild)
  • Web Disk (cpdavd)
  • FTP (ftpd)
  • SSH (sshd)
  • SMTP (smtp)
  • POP3 (pop3)
  • IMAP (imap)
Warning:
If you accidentally lock yourself out of WHM when you use this interface, edit the /etc/hosts.allow file through the command line to regain access.
Note:
  • The Create Support Ticket interface (WHM >> Home >> Support >> Create Support Ticket) automatically adds cPanel Support’s IP addresses to the server’s /etc/hosts.allow file. For more information, read our Create Support Ticket documentation.

  • To control access to the ftpd daemon, you must use the ProFTPD FTP server. Pure-FTP does not support TCP wrappers.

  • To control access to the POP3 or IMAP services, you may use the Dovecot mail servers.

Allow or deny access for an IP address

Important:

You must enter your allow rules before your deny rules.

To allow or deny an IP address to access a service, perform the following steps:

  1. Enter the service name in the daemon text box.

  2. Enter the IP address or hostname in the Access List text box.

    • You may enter wildcards in this text box.

    • You must enclose IPv6 addresses in square brackets ( [ ] ).

    • You cannot enter a range of IPv4 addresses with CIDR notation.

    • To specify a network range, add a network mask to the IP address.

      • IPv4 example: 192.168.0.0/24, where 24 is the desired network mask you want to use.

      • IPv6 example: 2001:0db8:0:0:1:0:0:1/64, where /64 is the desired CIDR-notation network mask you want to use.

  3. Enter the desired action in the Action text box.

    • Enter allow to allow access.

    • Enter deny to deny access.

  4. Describe the rule in the Comment text box.

  5. Click Save Host Access List, or click Reload to delete any changes.

Note:

You can also enter ALL EXCEPT IP address in the Access List text box. When you enter allow as your action, the system will allow all of the addresses except for addresses that you entered in the Access List text box.

Example

To allow access for two IP addresses, but deny access from all other addresses, use either of the following methods:

  • Create two separate rules:

    1. Create one rule that allows 192.168.0.0/24 or 2001:0db8:0:0:1:0:0:1/64.

    2. Create a second rule that denies access to ALL IP addresses.

  • Create one rule:

    1. Enter all except 192.168.0.0/24 or all except 2001:0db8:0:0:1:0:0:1/64 in the Access List text box.

    2. Enter deny in the Action text box.

Additional Documentation