Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
WHM Security Advanced

Locate and block abusive IP addresses in WHM

Find high-traffic IP addresses using WHM and safe command-line checks, then block abusive sources with CSF when the firewall is available.

UnderHost NOC Network Operations
8 min read Updated June 2026
On this page

When a site is receiving unusual traffic, WHM can help you identify active connections and block abusive sources through CSF if that firewall plugin is installed and available to your WHM user.

Blocking affects real visitors. Confirm the IP is actually abusive before denying it. Some IPs may belong to search engines, monitoring services, payment gateways, or a proxy/CDN.

Scope and access

This guide is for VPS, dedicated, or managed cPanel/WHM environments where you have permission to view server status and manage firewall rules. Shared hosting, managed white-label agency hosting, and limited WHM roles usually do not provide root-level firewall access.

Find busy IP addresses in WHM

  1. Log in to WHM with an account that has server status access.
  2. Search for Apache Status or go to Server Status -> Apache Status.
  3. Review active requests and source IP addresses.
  4. Look for repeated requests to the same path, unusually high connection counts, or traffic that matches an abuse report.

Apache Status is a snapshot. Refresh it during the incident and compare against access logs before making a permanent block.

Find busy IP addresses with SSH

The following read-only command summarizes established remote connections by IP address:

netstat -ntu | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

If your server uses ss instead of netstat, this read-only alternative is commonly available:

ss -Htn state established | awk '{print $4}' | sed 's/.*://g' | sort | uniq -c | sort -n

These commands list connection counts. They do not prove abuse by themselves. Compare the IPs with web logs, firewall logs, and the affected domain.

Block an IP address with CSF

CSF controls are available only when CSF is installed and your WHM user has permission to use it. In practice, this normally means root/admin WHM access or a specifically delegated WHM role. Managed WHM users without CSF access should ask UnderHost support to review or apply firewall changes.

If CSF is available in WHM:

  1. Go to Plugins -> ConfigServer Security & Firewall.
  2. Find csf - Quick Deny.
  3. Enter the IP address and a short reason.
  4. Click Quick Deny.

From SSH, CSF can deny an IP with a documented reason:

csf -d 203.0.113.50 "Abusive web requests - reviewed 2026-06-06"
csf -r
Command warning: csf -d changes firewall rules. Replace the example IP with the exact IP you intend to block and keep a reason for later review.

Review before and after blocking

  • Do not block your own office IP, UnderHost support IPs, monitoring checks, payment callbacks, or CDN proxy ranges.
  • If traffic comes through Cloudflare or another proxy, block at the proxy layer when possible.
  • For large attacks, use rate limiting, CDN rules, or DDoS mitigation rather than manually denying many IPs.
  • Keep temporary blocks documented and remove them when they are no longer needed.

Related: Server firewall rules | DDoS protection

Was this article helpful?

Need WHM/cPanel for a server?

Run WHM/cPanel on an UnderHost VPS or dedicated server, or choose managed help for installation and configuration.

View cPanel Options CustomerPanel

Related articles

Back to WHM