In addition to hardening your server, setting up alternate SSH users and setting up SSH keys, you can use Host Access Control in WHM to add an extra layer of security to have control over which IP addresses are able to connect to critical administrative services on your server. This is a module that can be configured either from a text file via command line or through the WHM interface. You can set up access/deny rules for different types of services like:

cPanel
WHM
Webmail
Web Disk
FTP
SSH
SMTP
POP3
IMAP

There are two ways to set up Host Access Control:

Through WHM
Using the Command Line (SSH)

Note:

The Host Access control reads permissions from the top of the document down. It is important that your hosts.allow entries be listed first and the hosts.deny entries be entered last. If the hosts.deny entries are at the beginning of the document, the deny command will be enforced first and you run the risk of being locked out of WHM.

Using Host Access Control only works with systems based on CentOS 7 and earlier. AlmaLinux 8 and newer do not support this functionality.

Host Access Control via WHM

Log into WHM.
In the search bar on the left-hand side of the page, type in host to search for Host Access Control. Select it from the menu.
From the Host Access Control home page, begin to type the service daemon you wish to limit access for. A drop-down will appear for you to select the correct service.
Choose the type of access, IP address or IP address range you wish to set for the service, the permission you want to grant and you can add a comment if you choose.

Note:

Each input box provides a drop-down list to help you determine the action you want to take.
Once you’ve set the accesses you want, click on Save Host Access List.

Warning:

If you accidentally lock yourself out of WHM when using the interface, you will need to edit the /etc/hosts.allow file through the command line to regain access.

Host Access Control via Command Line

The hosts.allow file is found in the /etc directory. Open the file with your favorite text editor. In this example, we will open the file with vi.
```
cd /etc
vi hosts.allow
```

Below the instructions for the files, you can enter the service daemon and access you want to allow or deny. In this example, the sshd server is going to be allowed for everyone except the IP address 192.0.2.0.

#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers

sshd : 192.0.2.0 : deny