I’m happy to announce my first ever perl-written plugin for WebHost Manager, which was developed by myself and one of my fellow sysadmins at InMotion Hosting. The first release is available here:
To explain a little bit of background here, many hosting companies that give some sort of **** about security will leave SSH port 22 closed except for specified IPs. Us being one of them, requests from customers for us to add their IPs to their firewalls is rather redundant when we host over 900 V-dedicated systems and 100 Dedicated boxes where customers can opt for SSH access. Therefore, I decided that it would be well worth our efforts to create a WHM plugin to allow customers to add their own IPs without ever having to contact us. I am aware that some plugin developer already has a more sophisticated APF plugin for WHM but you have to pay for it.
– cPanel/WHM (tested on version 11.18)
– APF 0.9 (tested on 0.9.6)
– iptables enabled and working (if you are able to restart APF without any errors, it’s probably fine)
Note: default privileges will allow anyone with WHM/reseller access to use this plugin. You can manually change this in the addon_add2apf.cgi file if you want.
tar -xvzf apfadd_whm_1.05.tar.gz
rm -f apfadd_whm_1.05.tar.gz
From there, load up WHM and on the left side you’ll see an option to “Add IP to Firewall” and the plugin page will give you examples of what you can add. The script is set up to allow:
Hostname – v-nessa.net
Single IP – 188.8.131.52
IP CIDR – 184.108.40.206/24
Port/IP – d=22:s=220.127.116.11
Port/CIDR – d=22:s=18.104.22.168/24
Of course, the error checking is not perfect, so just be aware of what you’re adding or you might unintentionally ‘break’ your firewall, which usually results in blocked traffic.
Eventually I’m sure I’ll end up adding the ability to manage ports and remove IPs for users with a certain access level, but currently I don’t see a need to do so because I don’t believe that non-root users should have that type of access. Note that per the readme, you can edit the addon file to limit access to users with a certain reseller ACL privilege.