Allow WHM/cPanel ssh logins from specific IP addresses using iptables

For some reason the hosts.allow and hosts.deny files don’t seem to work on cPanel.  One of the alternative methods to limit ssh logins to specific addresses is to use iptables.

Allow access from specific IP addresses. 

Replace and with your addresses.  You can add more addresses using the “,”.  Also if your ssh port is not the default port, be sure to change it.

iptables -A INPUT -s, -p tcp --dport 22 -j ACCEPT

Reject access from everywhere else

iptables -A INPUT -s -p tcp --dport 22 -j REJECT

You can see your rules with

 iptables -L --line-numbers

If you need to add another rule after the fact, you’ll need to make sure that it is above the REJECT rule. you can use the “-I” to insert it between rules.

Example: inserts rule as the second rule in the INPUT chain

iptables -I INPUT 2 -s -p tcp --dport 22 -j ACCEPT

Add, List, and Delete iptable rules

Add iptable rule

The following rule rejects access to port 22 on all devices except ones on the network.  Note the “!”.  This command can be useful for a WHM/cPanel server to limit ssh access.

iptables -A INPUT ! -s -p tcp --dport 22 -j REJECT

List iptable rules with line numbers

iptables -L --line-numbers

Example output

root@localhost [~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- ! anywhere tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mailman
2 cpanel-dovecot-solr all -- anywhere anywhere

Chain cpanel-dovecot-solr (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr

Remove iptable rule

To delete a rule use the -D option with the Chain and the line number.  So to delete the first rule in the example output above, we would specify the INPUT chain and the the line number 1

 iptables -D INPUT 1


Moving emails to new host with imapsync

More info about imapsync here

Install imapsync

CentOS 7, Works on cPanel servers too

yum install epel-release && yum install imapsync

Once installed check and make sure it works.

imapsync --version

If it gives you the version number you should be good to go.

Move email account

imapsync --host1 --user1 --password1  "password1" --host2 --user2 --password2  "password2"

Example :

imapsync --host1 --user1 --password1  "password1" --host2 --user2 --password2  "password2"

Moving Multiple accounts

Best way to move multiple accounts is to use a script and and a list that contains all the usernames and passwords to the accounts you want to move.

example scripts can be found on the imapsync website here is a script example and here is the example file.txt

Example script.

# $Id:,v 1.6 2015/11/04 18:23:04 gilles Exp gilles $

# Example for imapsync massive migration on Unix systems.
# See also
# Data is supposed to be in file.txt in the following format:
# host001_1;user001_1;password001_1;host001_2;user001_2;password001_2;
# ...
# Separator is character semi-colon ";" it can be changed by any character changing IFS=';' 
# in the while loop below.
# # Each line contains 6 columns, columns are parameter values for 
# --host1 --user1 --password1 --host2 --user2 --password2
# and a trailing empty fake column to avaid CR LF part going 
# in the 6th parameter password2. Don't forget the last semicolon.
# You can add extra options after the variable "$@" 
# Use character backslash \ at the end of each suplementary line, except for the last one.
# You can also pass extra options via the parameters of this script since
# they will be in "$@"

# The credentials filename "file.txt" used for the loop can be renamed 
# by changing "file.txt" below.

echo Looping on account credentials found in file.txt

{ while IFS=';' read  h1 u1 p1 h2 u2 p2 fake
        { echo "$h1" | egrep "^#" ; } > /dev/null && continue # this skip commented lines in file.txt
        echo "==== Starting imapsync from host1 $h1 user1 $u1 to host2 $h2 user2 $u2 ===="
        imapsync --host1 "$h1" --user1 "$u1" --password1 "$p1" \
                 --host2 "$h2" --user2 "$u2" --password2 "$p2" \
        echo "==== Ended imapsync from host1 $h1 user1 $u1 to host2 $h2 user2 $u2 ===="
} < file.txt

Example list of accounts to;;password1;;;password2;


How to use,

You can run these command from a Linux computer

Download script


Make the script executable

chmod +x

Create a text file named “imapsync_list.txt”

This file will contain the mail server to transfer from, username, and password, and then the mail server to transfer to, username and password.  Add one line per account.


Execute the script to start moving mail



In the username you may need to use the username@domainname.tld, so if the username is bob, and the mail domain is, use for the username in the imapsync_list.txt.

cPanel Logs

How to view the logs

There are multiple ways to view log files, here are some common ways.

tail the log, shows the 10 most recent log entries.

tail /var/log/messages

tail the log and keep monitoring it for new entries.

tail -f /var/log/messages

Find specific info in log file

cat /var/log/messages | grep texttosearch


cPanel Log Paths

Main log


Access logs


Access logs for a specific domain


Account Transfers/ Miscilanius logs


Auditing Log (Account creation and deletions)


Backup Logs




DNSAdmin, DNS Clustering


Task Queue Processing Daemon




Easy Apache Build logs


Error logs


License log


local database modifications


Login errors CPSRVD


Bandwidth History


Service Status Logs


Tailwatch log


Update Analysis Reporting


Update log UPCP



cPanel Email Logs


Horde log




Squirrel Mail


Panic log


Delivery and receipt log


Incoming mail queue


Log of messages rejected based on ACLS or other policies


Unexpected/Fatal error log


IMAP, POP login attempts, transactions, fatal errors and spam scoring

/var/log/maillog /var/log/messages





MySQL error log


MySQL slow query log (if enabled in my.cnf)



How To “Unblock” an IP from cPHulk from the Command Line

cPHulk uses a MySQL database to keep track of different IP’s to block, white list, black list, etc.

When there have been X amount of failed login attempts from an IP, cPHulk adds an entry for the IP in the brutes table.

To “unblock” the IP we need to delete the entry.

open up the cPHulk MySQL database.

root@localhost [~]# mysql cphulkd

If your interested you can view all tables that cPHulk uses.

show tables;

Take a look at all the IP’s in the brutes table.



mysql> SELECT IP FROM brutes;
| IP            |
| |     <--  IP we want to unblock
| |
2 rows in set (0.00 sec)


To unblock the IP we just need to delete the row that has the IP address we want.

mysql> DELETE FROM brutes WHERE IP="";

It should return the following.

mysql> DELETE FROM brutes WHERE IP="";
Query OK, 1 row affected (0.00 sec)


Exit MySQL.

mysql> exit
root@localhost [~]#