How to Block IP Addresses in cPanel: IP Blocker, CSF, and cPHulk Guide

by

Why IP Blocking Matters for Your cPanel Server

Every day, automated bots, brute-force attackers, and malicious scanners probe cPanel servers looking for vulnerabilities. Without proper IP blocking, your site wastes resources handling unwanted traffic and risks unauthorized access. cPanel provides built-in tools to block specific IP addresses or entire ranges at the server level — stopping threats before they ever reach your applications.

Whether you’re dealing with a single persistent attacker or a distributed botnet, cPanel’s IP Blocker and firewall integration give you granular control over who can connect to your server. This guide walks through the practical methods for blocking IPs in cPanel, from the easy point-and-click interface to command-line firewall rules for power users.

Using the cPanel IP Blocker Interface

The simplest way to block an IP address is through the IP Blocker tool in cPanel. This feature adds rules to your server’s firewall (typically CSF or iptables) behind the scenes, so you don’t need to touch the command line.

Accessing IP Blocker

  1. Log into your cPanel dashboard
  2. Navigate to the Security section
  3. Click IP Blocker
  4. You’ll see a list of currently blocked addresses and a form to add new ones

Adding an IP or Range

In the Add an IP or IP Range field, you can enter:

  • A single IP: 192.168.1.100
  • A CIDR range: 192.168.1.0/24 (blocks 192.168.1.0 through 192.168.1.255)
  • A wildcard range: 192.168.1.* (equivalent to the /24 range above)
  • A partial IP: 192.168. (blocks everything starting with 192.168)

After entering the address, click Add. The block takes effect immediately. You’ll see the new rule appear in the list below with a timestamp. To remove a block later, click the Delete link next to the IP entry.

Note: Be careful with broad ranges. Blocking a large ISP range like 10.0.0.0/8 could lock out legitimate visitors. Always verify the IPs you’re blocking belong to known attackers.

Blocking IPs Through cPanel’s ModSecurity Integration

cPanel also integrates with ModSecurity, a web application firewall that can block IPs based on attack patterns. When combined with the cPanel ModSecurity Rule Editor, you can create custom rules that block specific IPs from accessing your web applications while still allowing other services like email or FTP.

To create a ModSecurity IP block:

  1. Go to ModSecurity in the Security section of cPanel
  2. Select the domain you want to protect
  3. Click Add a Custom Rule
  4. Paste a rule like:
SecRule REMOTE_ADDR "^192\.168\.1\.100$" \
    "id:100001,phase:1,deny,status:403,msg:'Blocked malicious IP'"

This blocks the specified IP at the web application layer, returning a 403 Forbidden response. The advantage over the IP Blocker is that ModSecurity rules can be more specific — for example, blocking an IP only for certain URLs or during certain hours.

Using CSF (ConfigServer Security & Firewall) with cPanel

Most cPanel servers include CSF (ConfigServer Security & Firewall), a powerful firewall management system. CSF gives you more advanced IP blocking capabilities than the basic IP Blocker tool.

Blocking an IP in CSF

If you have root access or WHM reseller permissions, you can manage CSF directly:

  1. Log into WHM or SSH into your server
  2. Run: csf -d 192.168.1.100 — this denies (blocks) the IP
  3. To confirm the block: csf -g 192.168.1.100
  4. To remove: csf -dr 192.168.1.100

Temporary Blocks with CSF

CSF also supports time-limited blocks via its temporary deny feature:

csf -td 192.168.1.100 3600

The third argument is the duration in seconds. The example above blocks the IP for one hour (3600 seconds). After expiration, the IP is automatically removed from the deny list.

Managing CSF Through WHM

For users who prefer a GUI:

  1. Log into WHM
  2. Search for ConfigServer Security & Firewall
  3. Click Firewall Deny IPs under the Quick Actions section
  4. Paste IPs (one per line) and click Add

CSF uses /etc/csf/csf.deny as its persistent deny list. You can edit this file directly to add multiple IPs at once, which is useful when importing a blocklist of known bad actors.

Identifying Which IPs to Block

Knowing which IPs to block is half the battle. cPanel provides several tools to help identify problematic addresses:

Check Apache Access Logs

In cPanel’s Metrics section, open Awstats or Analog Stats to spot patterns. Look for:

  • Hundreds of requests from the same IP in minutes
  • Repeated 404 hits (scanners looking for vulnerable paths)
  • Failed login attempts from unfamiliar locations

Review the cPanel Login Failure Log

Go to Login Failure Log in the Security section. If you see the same IP address attempting to log into cPanel repeatedly, block it immediately. These are typically brute-force bots trying common passwords.

Monitor Email Authentication Failures

Check your email logs for repeated SMTP authentication failures from the same IP. Attackers often try to brute-force email accounts to send spam. The Mail Log tool in cPanel’s Email section can help identify these patterns.

Automated IP Blocking with cPHulk

cPanel includes cPHulk Brute Force Protection, which automatically blocks IPs after repeated failed login attempts. This is your first line of defense and should always be enabled.

Configuring cPHulk

  1. In WHM, search for cPHulk Brute Force Protection
  2. Enable it for both cPanel login and SSH login (if available)
  3. Set the failure threshold — 5 failed attempts within 15 minutes is a good starting point
  4. Set the block duration — 24 hours is reasonable for most servers
  5. Add your own IP to the whitelist so you never lock yourself out

cPHulk maintains its block list in /var/cpanel/cphulk/blockedips.txt. You can review or manually clear entries from this file if needed. The system automatically unblocks IPs after the configured duration expires.

Best Practices for IP Blocking in cPanel

Effective IP blocking goes beyond just adding addresses to a list. Follow these guidelines to keep your server secure without accidentally blocking legitimate traffic:

  • Always whitelist yourself first. Before blocking any IPs, add your own IP address to the CSF whitelist (/etc/csf/csf.allow) to avoid locking yourself out.
  • Use temporary blocks initially. Start with a 24-hour block rather than permanent. If the IP continues causing issues after the block expires, then make it permanent.
  • Block at the correct layer. Use cPHulk for login failures, the IP Blocker for server-wide access issues, and ModSecurity for application-layer blocks. Each tool is optimized for its purpose.
  • Maintain a blocklist log. Document why each IP was blocked and when. This helps with troubleshooting if a legitimate user gets blocked by mistake.
  • Review blocked IPs monthly. Attackers change IPs frequently. Regularly reviewing your blocklist removes stale entries and keeps your firewall rules efficient.
  • Combine with rate limiting. Use CSF’s connection tracking to limit how many connections a single IP can make per second, which mitigates DDoS attacks without hard-blocking the IP.

Key Takeaways

  • cPanel’s IP Blocker is the quickest way to deny specific IPs or ranges — accessible from the Security section of your dashboard
  • CSF provides more advanced control including temporary blocks, CIDR notation, and command-line management for power users
  • cPHulk automates IP blocking after repeated failed login attempts and should be enabled on every cPanel server
  • ModSecurity offers application-layer IP blocking that can be restricted to specific domains or URLs
  • Always whitelist your own IP before implementing blocks to prevent accidental lockouts
  • Regularly audit your blocklist and use temporary blocks when possible to adapt to changing attacker IP addresses