How to Secure SSH on CPanel and restrict to specific hosts

There are many ways to secure SSH on a CPanel Server, including authenticating with keys and more. However I usually go for a simpler way. Given most of my personal applications are dedicated & shared servers there is only a small list of people requiring access to SSH (I don’t allow SSH for shared servers at all) often only myself. What I tend to do is restrict ssh to protocol 2 to start with, then change the listening port for ssh and lastly utilize CPanel’s built in hosts access control to restrict what sources are able to access ssh.

  1. Restrict SSH to Protocol 2 & Restrict the Port to a non standard port.
  2. to do this simply log into the console of the server as the root user and use your favourite editor to modify the sshd configuration file like so.

    pico /etc/ssh/sshd_config

    Find the line that reads Protocol 2,1 and the line that reads Port. Below is an example of a modified configuration. Port 22444 is the new ssh port and the #Protocol 2,1 is removing that line from the config and the line below it is restricting the Protocol to 2 only.

    Port 22444
    #Protocol 2,1
    Protocol 2
  3. Restrict Source Hosts from within CPanel.
    From within your WHM head to Security Center >> Host Access Control.
    Here we can add in some rules to control who can access sshd. View the image below you can see how I have added access to Office and Head Office with two rules (Access List is internal ranges in this case, would normally be a single external source, IE & the third rule is to deny ALL others, the final deny rule must be the last of the sshd rules.

  4. Restart SSHD service.
    From console/terminal or WHM restart the sshd service. type service sshd restart in console/terminal or go to Restart Services >> SSH Server (OpenSSH) from within WHM and hit YES.

NOTES: I am using OpenSSH in this example. If you have any third party firewall’s in place you will need to punch a hole in those with the different port as well. Also as I recommend you run a firewall on your CPanel box you will also need to configure that. I recommend Config Server Firewall as an addon/pluggin for CPanel and will have an install and configuration writeup on that at some stage soon! Post a Comment if you have any questions.


Tags: , , , , , , , , , , , , , , , ,


  1. How to Enable SSH Access to ESXi v4 - Tech Help Blog - August 10, 2010

    […] tested this, as I use secure management networks, however if you follow my post “How to Secure SSH on CPanel and restrict to specific hosts” you can probably use the step 2 bit to change the listening port if you really wanted to […]

Leave a Reply