Secure Shell (SSH) allows administrators to securely connect to a server and execute commands remotely. Web Host Manager (WHM) is a popular server management interface for cPanel hosting that provides control over server settings, security, and user accounts.
Whitelisting an SSH IP address in WHM ensures that specific IPs are allowed to access the server via SSH to prevent unauthorized connections while maintaining secure remote access.
This article covers several methods to whitelist SSH IPs in WHM, including GUI tools and command-line options.
Prerequisites
- A server with WHM/cPanel installed.
- ConfigServer Security & Firewall (CSF) plugin.
- A user account with root access.
Whitelist SSH IP Address Using WHM
WHM provides a built-in interface to allow or restrict access to different services, including SSH, cPanel, and Webmail. This feature, called Host Access Control, lets you define which IP addresses can connect to specific services.
Important: As of August 31, 2025, ConfigServer Security and Firewall (Way to the Web Ltd.) officially ceased operations, ending all updates and support for CSF and related products. The firewall remains functional and is available under the GPLv3 license via community mirrors.
Whitelist SSH IP Through Host Access Control
Follow the steps below to whitelist an IP address for SSH access:
1. Open Host Access Control
Open your browser and log in to WHM. On the WHM homepage, expand the Security Center item in the left pane and click Host Access Control.
2. Add a new rule
In the Port field, enter the service name or port number.
- For SSH, enter
sshdor port22.
3. Specify the IP address or range
Enter the IP address you want to whitelist in the IP Address/CIDR field.
- To allow a single IP, use the full address (e.g.,
203.0.113.5). - To allow an entire subnet, use CIDR notation (e.g.,
192.168.0.0/24).
4. Select the protocol
Choose TCP from the Protocol menu.
5. Set the action
From the Action menu, select ACCEPT to allow connections from the specified IP or subnet.
6. Add the rule
Click Add Rule. The new entry appears in the Current Rules table and takes effect immediately.
Note: The IP Search function has been deprecated since WHM version 94. In current versions (v100 and later), WHM no longer provides an IP lookup or search option within Host Access Control. To whitelist or block an IP address, you must manually enter the IP address or CIDR subnet when adding a new rule.
Whitelist SSH IP Using Quick Allow (csf.allow)
The Quick Allow feature lets you whitelist an IP address so that it bypasses CSF firewall restrictions, including SSH access. This ensures the specified IP always has access to your server.
Follow the steps below:
1. Navigate to Plugins > ConfigServer Security & Firewall.
2. Select the csf option.
3. In the Quick Allow field, enter the IP address you want to whitelist. Optionally, add a comment for reference:
4. Click Quick Allow. The IP is added to /etc/csf/csf.allow, and firewall rules are reloaded automatically.
Whitelist SSH IP Using Quick Ignore (csf.ignore)
Quick Ignore prevents CSF's intrusion detection (LFD) from blocking an IP without granting full firewall bypass. Use this for trusted IPs that may trigger false positives (e.g., repeated failed login attempts).
Note: Login Failure Daemon (LFD) monitors repeated login failures and temporarily blocks offending IPs. Adding an IP to csf.ignore excludes it from LFD monitoring.
Follow the steps below to whitelist an SSH IP using the Quick Ignore option:
1. From the WHM home page, navigate to Plugins > ConfigServer Security & Firewall.
2. Select the csf option.
3. Find the Quick Ignore field. Enter the IP address you want to exclude from LFD monitoring:
4. Click Quick Ignore, and the IP is added to /etc/csf/csf.ignore. LFD will no longer block it.
Whitelist SSH IP Using csf via Command Line
CSF can be fully managed via the command line, allowing you to whitelist or ignore IP addresses quickly without using the WHM interface.
The steps below show how to allow, ignore, and search for an IP in current rules:
1. Allow an IP
Use the syntax below to allow an IP with csf using the command line:
sudo csf -a [IP_address] "[comment]"For example:
The command adds the IP to /etc/csf/csf.allow and grants full SSH access.
2. Ignore an IP
You can also use the command line to prevent LFD from blocking an IP. The syntax is:
sudo csf -i [IP_address] "[comment]"For example:
sudo csf -i 203.0.113.5 "Ignore LFD blocks"3. Reload CSF
Reload all firewall rules for the changes to take effect. Run the command below:
sudo csf -r4. Search for an IP in the current rules
Use the syntax below to see if an IP has been added to the current rules, and its status:
sudo csf -g [IP_address]For example:
The command shows whether the IP is allowed, ignored, or blocked.
Conclusion
This article showed how to whitelist SSH IP addresses on a WHM server using CSF. Use the Quick Allow, Quick Ignore, and command-line CSF commands to manage IP access securely and efficiently.
Next, see how to resolve the "Connection reset by peer" error in SSH connections, or see how to choose the right software for your server setup.
