Last modified: November 18, 2024
Looking for this interface?
Your hosting provider can enable or disable this interface for resellers in WHM's Edit Reseller Nameservers and Privileges interface (WHM >> Home >> Resellers >> Edit Reseller Nameservers and Privileges).
Overview
Use the Host Access Control interface (WHM » Home » Security Center » Host Access Control) to allow, reject, or drop access to the following services for specific IP addresses:
- cPanel (
cpaneld
) - WHM (
whostmgrd
) - Webmail (
webmaild
) - Web Disk (
cpdavd
) - FTP (
ftpd
) - SSH (
sshd
) - SMTP (
smtp
) - POP3 (
pop3
) - IMAP (
imap
)
- If your server uses
nftables
, rules that you add in this interface will be ignored if you install another firewall application. - This document uses the following examples for networks:
192.168.0.0/24
— IPv4 network2001:0db8:0:0:1:0:0:1/64
— IPv6 network
Host Access Control for CloudLinux 8, AlmaLinux, and Rocky Linux
Servers that run CloudLinux™ 8, AlmaLinux OS, or Rocky Linux™ control service access by port number. For a list of ports and their related services, read the Ports section of the How to Configure Your Firewall for cPanel Services documentation.
If you accidentally lock yourself out of WHM when you use this interface, edit the nft
rules through the command line to regain access.
Add a rule
You must enter your ACCEPT
rules before your DROP
or REJECT
rules.
To allow or deny a single IP address or CIDR subnet access to a service, perform the following steps:
- Enter the port number in the Port text box.
- Enter the IP address or CIDR subnet in the IP Address/CIDR text box.
- You may enter wildcards in this text box.
- You do not need to enclose IPv6 addresses in square brackets (
[ ]
). - You may apply your rule to multiple IP addresses by entering a CIDR subnet mask. To add a CIDR subnet mask, add
/NUMBER
to your IP address, whereNUMBER
is the number of network bits that an IP address must match to be affected by your rule.- IPv4 example:
192.168.0.0/24
means the first 24 bits of the requesting IP address (the first, second, and third numbers in the IP address) must match the rule IP address. This will result in all IP addresses in the range of192.168.0.1 - 192.168.0.254
meeting the rule. - IPv6 example:
2001:0db8:0:0:1:0:0:1/64
means that the first 64 bits of the requesting IP address must match the rule IP address. Because IPv6 uses 128-bit addresses, this will result in all IP addresses in the range of2001:db8:abcd:0012:0000:0000:0000:0000 - 2001:db8:abcd:0012:ffff:ffff:ffff:ffff
meeting the rule.
- IPv4 example:
- Select the TCP protocol or the UDP protocol from the Protocol menu.
- Select which action to take for the port from the Action menu.
- Use the ACCEPT action to allow the IP addresses in the range to access the port.
- Use the DROP action to block the IP addresses in the range without a rejection message.
- Use the REJECT action to block the IP addresses in the range with a rejection message.
- Click Add Rule to add the rule. The rule will appear in the Current Rules table and apply.
Host Access Control for CloudLinux 7, CentOS 7, and Ubuntu
Servers that run CloudLinux™ 7, CentOS 7, or Ubuntu® control access by service via the /etc/hosts.allow
and /etc/hosts.deny
files.
If you accidentally lock yourself out of WHM when you use this interface, edit the /etc/hosts.allow
file through the command line to regain access.
- The Create Support Ticket interface (WHM » Home » Support » Create Support Ticket) automatically adds cPanel Support’s IP addresses to the server’s
/etc/hosts.allow file
. For more information, read our Create Support Ticket documentation. - To control access to the
ftpd
daemon, you must use the ProFTPD FTP server. Pure-FTP does not support TCP wrappers.- To choose an FTP server, use WHM’s FTP Server Selection interface (WHM » Home » Service Configuration » FTP Server Selection).
- For more information, read our ProFTPD Configuration for Host Access Control documentation.
Allow or deny access
You must enter your allow
rules before your deny
rules.
To allow or deny a single IP address, comma-separated list of IP addresses, hostname, or CIDR subnet access to a service, perform the following steps:
- Enter the service name in the daemon text box.
- Enter the IP address, CIDR subnet, comma-separated list of IP addresses, or hostname in the Access List text box.
- You may enter wildcards in this text box.
- You must enclose IPv6 addresses in square brackets (
[ ]
). - To add a CIDR subnet mask, add
/NUMBER
to your IP address, whereNUMBER
is the number of network bits that an IP address must match for your rule to affect it.- IPv4 example:
192.168.0.0/24
means the first 24 bits of the requesting IP address (the first, second, and third numbers in the IP address) must match the rule IP address. This will result in all IP addresses in the range of192.168.0.1 - 192.168.0.254
meeting the rule. - IPv6 example:
2001:0db8:0:0:1:0:0:1/64
means that the first 64 bits of the requesting IP address must match the rule IP address. Because IPv6 uses 128-bit addresses, this will result in all IP addresses in the range of2001:db8:abcd:0012:0000:0000:0000:0000 - 2001:db8:abcd:0012:ffff:ffff:ffff:ffff
meeting the rule.
- IPv4 example:
- Enter the desired action in the Action text box.
- Enter
allow
to allow access. - Enter
deny
to deny access.
- Enter
- Describe the rule in the Comment text box.
- Click Save Host Access List, or click Reload to delete any changes. Any saved rules apply.
You can also enter ALL EXCEPT IP address
in the Access List text box. When you enter allow
as your action, the system will allow all of the addresses except for addresses that you entered in the Access List text box.
Example
To allow access from IP addresses on a specific network and deny access from all other addresses, use either of the following methods:
Method | Description |
---|---|
Two separate rules | Create one rule that allows 192.168.0.0/24 or 2001:0db8:0:0:1:0:0:1/64 . Then, create a second rule that denies access to ALL addresses. |
One rule | Create one rule that denies access to all except 192.168.0.0/24 or all except 2001:0db8:0:0:1:0:0:1/64 . |
Once you have added these rules, they will appear in the Current Rules table and apply.