Use WHM Host Access Control to Secure Services Like SSH
Posted on Updated onThere are many methods and layers of securing your WHM installation. If you take the SSH service for example, we’ve already looked at how to disable direct root logins and use the Wheeler group for additional security. However, you can use further techniques as either stand-alone barriers or as a supplement to harden your WHM set up. For example, let’s say that you want to restrict a service like SSH to only a specific IP address. Assume you set up a secure VPN network which you will use for all SSH transactions. There is no reason to allow connections from any other IP address after that.
The same goes for all other services. How do you individually configure them so that you have fine-grained control over which IP addresses are able to connect? The answer lies in a WHM feature known as Host Access Control (HAC). This is a module that can be configured either from a text file via the commandline or through a dedicated interface on the WHM dashboard. It allows you to set up sophisticated access/deny rules for different types of services. In this article, let’s look at how to restrict SSH connections to just one IP address.
Using the Host Access Control GUI
You can reach this module once you’ve logged in to your WHM server by selecting the “Host Access Control” menu item on the left-hand side as shown here:
The next screen will allow you to input a number of rules – one on each line. These rules have three parts or columns that follow a specific format. The first is the service name we want to configure. Luckily for us, the GUI provides us with the drop-down box of services as soon as you start typing, thus reducing the risk of making mistakes. The second box contains one of the following values:
- An IP address that can also contain wildcards
- ALL
- ALL EXCEPT [IP address]
And finally, the third column contains one of the two following values:
- allow
- deny
Put together, this allows you to create extremely sophisticated rules for access to your WHM services. Keep in mind that they are implemented in order of listing, so it’s safest to write the “allow” rules before the “deny” rules.
In my example, I wish to deny access to all IP addresses except one. So I type the following into the second column:
ALL EXCEPT 162.216.16.140
Where 162.216.16.140 happens to be the IP address of my VPN, and I type “deny” into the third column, and use “sshd” as the name of my service.
Once I’ve saved the changes, if I try and access the SSH service from any other IP address, I get an error like the one below:
If on the other hand, I wanted to restrict access to my SSH service to 2 IP addresses, I would have to first allow each of them individually and then create a catchall “deny” rule in the end.
Let’s look at how to perform the same operations via the commandline.
Command Line HAC Control
The rules for host access control are located in a file called hosts.allow in the “etc” folder. So log into your server via SSH, navigate to the etc folder and type:
vi hosts.allow
This will open up hosts.allow for editing. Right at the bottom of the file, you will see the current Host Access Control rules. As before, they are split up into three parts each of which is separated by a colon “:”.
Making changes to this file creates the same effect as doing it via the GUI. Of course, you won’t have the convenient feature of the drop-down list, but if you already know exactly which service you want, it might be faster.
Host Access Control rules are a great way to fine-tune the security of your WHM server. Especially when it comes to high risk services like SSH, it’s important to lock them down securely.