Host Access Control

Valid for version 92

Version:

82

92

94

100

102


Last modified: October 15, 2021

Overview

Warning:
For users of CentOS 7, CloudLinux™ 7, and Red Hat® Enterprise Linux® 7 and earlier versions: if you accidentally lock yourself out of WHM when you use this interface, edit the /etc/hosts.allow file through the command line to regain access.
Note:
Warning:

cPanel & WHM version 92 for CentOS 8 and CloudLinux 8 is experimental software and we do not recommend using it in production environments.

Upgrade to a later version of cPanel & WHM to use CentOS 8 and CloudLinux 8 in production environments.

Use the Host Access Control interface to allow or deny (block) access to the following services for specific IP addresses:

  • cPanel (cpaneld)
  • WHM (whostmgrd)
  • Webmail (webmaild)
  • Web Disk (cpdavd)
  • FTP (ftpd)
  • SSH (sshd)
  • SMTP (smtp)
  • POP3 (pop3)
  • IMAP (imap)
Note:
  • To control access to the ftpd daemon, you must use the ProFTPD FTP server. Pure-FTP does not support TCP wrappers.

  • To control access to the POP3 or IMAP services, you may use the Dovecot mail servers.

Allow or deny access

Important:

You must enter your allow rules before your deny rules.

To add a allow or deny a single IP address, comma-separated list of IP addresses, hostname, or CIDR subnet mask access to a service, perform the following steps:

  1. Enter the service name in the daemon text box.

  2. Enter the IP address, CIDR subnet mask, comma-separated list of IP addresses, or hostname in the Access List text box.

    • You may enter wildcards in this text box.

    • You must enclose IPv6 addresses in square brackets ( [ ] ).

    • You may apply your rule to multiple IP addresses by entering a comma-separated list of IP addresses or a CIDR subnet mask.

    • To add a CIDR subnet mask, add /NUMBER to your IP address, where NUMBER is the number of network bits that an IP address must match to be affected by your rule.

      • IPv4 example: 192.168.0.0/24 means the first 24 bits of the requesting IP address (the first, second, and third numbers in the IP address) must match the rule IP address. This will result in all IP addresses in the range of 192.168.0.1 - 192.168.0.254 meeting the rule.

      • IPv6 example: 2001:0db8:0:0:1:0:0:1/64 means that the first 64 bits of the requesting IP address must match the rule IP address. Because IPv6 uses 128-bit addresses, this will result in all IP addresses in the range of 2001:db8:abcd:0012:0000:0000:0000:0000 - 2001:db8:abcd:0012:ffff:ffff:ffff:ffff meeting the rule.

  3. Enter the desired action in the Action text box.

    • Enter allow to allow access.

    • Enter deny to deny access.

  4. Describe the rule in the Comment text box.

  5. Click Save Host Access List, or click Reload to delete any changes. Saved changes will apply.

Note:

You can also enter ALL EXCEPT IP address in the Access List text box. When you enter allow as your action, the system will allow all of the addresses except for addresses that you entered in the Access List text box.

Example

To allow access for two IP addresses, but deny access from all other addresses, use either of the following methods:

Create two separate rules:

  • Create one rule that allows 192.168.0.0/255.255.255.0 or [2001:0db8:0:0:1:0:0:1]/64.

  • Create a second rule that denies access to ALL IP addresses.

Create one rule:

  • Enter all except 192.168.0.0/255.255.255.0 or all except [2001:0db8:0:0:1:0:0:1]/64 in the Access List text box.

  • Enter deny in the Action text box.

Host Access Control for CentOS 8 and CloudLinux 8

Warning:
  • cPanel & WHM version 92 for CentOS 8 and CloudLinux 8 is experimental software and we do not recommend using it in production environments.

  • If you accidentally lock yourself out of WHM when you use this interface, edit the nft rules through the command line to regain access.

Add a rule

Important:

You must enter your allow rules before your drop or reject rules.

To add a allow or deny a single IP address, comma-separated list of IP addresses, or CIDR subnet mask access to a service, perform the following steps:

  1. Enter the port number in the Port text box.

  2. Enter the IP address, CIDR subnet mask, or comma-separated IP address list in the IP Address/CIDR text box.

    • You may enter wildcards in this text box.

    • You do not need to enclose IPv6 addresses in square brackets ( [ ] ).

    • To add the CIDR subnet mask, add /NUMBER to your IP address, where NUMBER is the number of network bits that an IP address must match for your rule to affect it.

      • IPv4 example: 192.168.0.0/24 means the first 24 bits of the requesting IP address (the first, second, and third numbers in the IP address) must match the rule IP address. This will result in all IP addresses in the range of 192.168.0.1 - 192.168.0.254 meeting the rule.

      • IPv6 example: 2001:0db8:0:0:1:0:0:1/64 means that the first 64 bits of the requesting IP address must match the rule IP address. Because IPv6 uses 128-bit addresses, this will result in all IP addresses in the range of 2001:db8:abcd:0012:0000:0000:0000:0000 - 2001:db8:abcd:0012:ffff:ffff:ffff:ffff meeting the rule.

  3. Select the TCP protocol or the UDP protocol from the Protocol menu.

  4. Select which action to take for the port from the Action menu.

    • Use the ACCEPT action to allow the IP addresses in the range to access the port.

    • Use the DROP action to block the IP addresses in the range without a rejection message.

    • Use the REJECT action to block the IP addresses in the range with a rejection message.

  5. Click Add Rule to add the rule. The rule will appear in the Current Rules table and apply.

Additional Documentation