cPanel WHM

Restrict access to ftp and other services in WHM

Source: https://documentation.cpanel.net/display/1142Docs/Host+Access+Control

You can use the Host Access Control feature to allow or deny clients’ access, based on the IP address, to the following services:
Daemon Name

Service Name
cpaneld cPanel
whostmgrd WHM
webmaild Webmail
cpdavd WebDisk
Allow access for an IP address

To allow an IP address to access a service, perform the following steps:

Enter the service name in the daemon text box. As you type, a list of suggestions will appear.
Enter the IP address or hostname in Access List text box.
You may enter wildcards in this text box.
You cannot enter a range of IP addresses with CIDR notation.
To specify a network range, add /255.255.255.0 to the IP address.
For example, 192.168.0.0/255.255.255.0, where 255.255.255.0 is the desired network mask you want to use.
Enter allow in the Action text box.
Describe the rule in the Comment text box.
Click Save Host Access List.
Click Reload to delete any changes.

Note:
Icon

You can also enter ALL EXCEPT IP address in the Access List text box. When you enter allow as your action, all of the addresses except for the one that you entered in the Access List will be allowed.

For more information on this option, see the Notes and Additional Documentation sections below.
Deny access from an IP address

To deny access to a service from an IP address, perform the following steps:

Enter the service name in the daemon text box. As you type, a list of suggestions will appear.
Enter the IP address or hostname in Access List text box.
You may enter wildcards in this text box.
You cannot enter a range of IP addresses with CIDR notation.
To specify a network range, add /255.255.255.0 to the IP address.
For example 192.168.0.0/255.255.255.0, where 255.255.255.0 is the desired network mask you want to use.
Enter deny in the Action text box.
Describe the rule in the Comment text box.
Click Save Host Access List.
Click Reload to delete any changes.

Note:
Icon

You can also enter ALL EXCEPT IP address in the Access List text box. When you enter deny as your action, all of the addresses except for the one that you entered in the Access List will be denied.

For more information on this option, see the Notes and Additional Documentation sections below.

Warning:
Icon

If you accidentally lock yourself out of WHM when you use Host Access Control, edit the /etc/hosts.allow file through the command line to unlock yourself.
Allow or deny IP addresses manually

For greater host access control flexibility, you can create rules in the command line. To do this, perform the following steps:

Log in to your server as root.
Open the /etc/hosts.allow file with your preferred text editor.
Follow this format: service : IP address : action.
For example: cpaneld : 192.168.0.0 : allow

Note:
Icon

When you configure your firewall directly, you can use CIDR notation.

On a CentOS or Red Hat Enterprise LInux® system, you can use the iptables utility to manage your firewall.

You can block a specific IP address on CentOS with iptables.
For example, to block 192.168.56.210, run the iptables -A INPUT -s 192.168.56.210 -j DROP command.
You can block a specific port for an IP address
For example, to block port 23 on 192.168.56.210, run the iptables -A INPUT -s 192.168.56.210 -p tcp –destination-port 23 -j DROP command.

Note:
Icon

WHM does not use a hosts.deny file. Deny statements should be added to the /etc/hosts.allow file.
Additional notes

You must enter your allow rules before your deny rules. For example, if you choose to allow access for two IP addresses, but you want to deny access from all other addresses, you can do either of the following:

Create two separate rules:
Create one rule that allows 192.168.0.0/255.255.255.0
Create a second rule that denies access to ALL IP addresses.
Create one rule:
Enter all except 192.168.0.0/255.255.255.0 in the Access List text box.
Enter deny in the Action text box.

Additional documentation

cPanel & WHM Application Catalog — This catalog lists utilities that can help you manage access control to your server.
IP Deny Manager — Use this feature to allow or deny access to an individual site.
ProFTPD Configuration for Host Access Control – This document provides the steps to configure FTP daemons to use Host Access Control