Restrict Admin Login by IP Address

themew · December 12, 2025, 9:42pm

For additional security, we’re testing adding a specific static IP for admin login.

I tried changing the Hestia login from 0.0.0.0/0 to 123.123.123.123 but I was still able to get to the admin page and login with a different IP. I then reverted the IP back to the original setting and added a second firewall rule with the additional IP - same result. Both times I did restart fail2ban and iptables.

Wondering what I’m doing wrong and is there a way to restrict the :8083/login page and login permissions to a specific IP address?

sahsanu · December 12, 2025, 10:48pm

You can restrict access to Hestia from a specific IP (via firewall or Nginx configuration), but you can’t restrict access to the admin user only without modifying Hestia’s PHP code.

I suppose you are changing the allowed IPs to access Hestia’s API, not the login page.

themew · December 12, 2025, 11:03pm

Hi @sahsanu

Our goal is to restrict the entire admin panel to only permit 1 or 2 IPs to access the admin login page and panel. We’re not modifying API access.

Even with a strong password and 2FA, we figure restricting the panel to a single user IP would cut down on noise and login attempts.

sahsanu · December 12, 2025, 11:14pm

Then just modify the default firewall rule acepting connections to port 8083 from all sources and limit it to the IP you need.

themew · December 13, 2025, 12:45am

So if I understand this, to allow only 1 IP address to access the admin panel, replace the 0.0.0.0/0 rule with the IP I want to allow access to the admin panel? If so, I tried that and was still able to access the panel with a different IP.

sahsanu · December 13, 2025, 12:47am

Yes.

Show the output of these commands:

v-list-firewall
iptables -S

themew · December 13, 2025, 12:54am

RULE  ACTION  PROTO  PORT    IP                SPND  DATE
----  ------  -----  ----    --                ----  ----
1     ACCEPT  ICMP   0       0.0.0.0/0         no    2014-09-16
2     ACCEPT  TCP    8083    0.0.0.0/0         no    2014-05-25
9     ACCEPT  TCP    80,443  0.0.0.0/0         no    2014-09-24
10    ACCEPT  TCP    22      0.0.0.0/0         no    2014-09-16
11    DROP    TCP    0       ipset:Blacklist2  no    2025-07-20
13    DROP    TCP    0       ipset:ipdb7day    no    2025-11-19

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-HESTIA
-N fail2ban-RECIDIVE
-N fail2ban-SSH
-N fail2ban-WEB
-N hestia
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-WEB
-A INPUT -p tcp -m tcp --dport 8083 -j fail2ban-HESTIA
-A INPUT -p tcp -m multiport --dports 1:65535 -j fail2ban-RECIDIVE
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 123.123.123.123/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m set --match-set ipdb7day src -j DROP
-A INPUT -p tcp -m set --match-set Blacklist2 src -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A fail2ban-HESTIA -j RETURN
-A fail2ban-RECIDIVE -s 142.93.230.77/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 159.223.0.49/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-RECIDIVE -s 174.138.14.223/32 -j REJECT --reject-with icmp-port-unreachable
(truncated)
-A fail2ban-RECIDIVE -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-WEB -j RETURN

I had switched the IP back to the original value to ensure I could still access the panel.

sahsanu · December 13, 2025, 12:57am

I need to view the outputs with the change you did

themew · December 13, 2025, 1:17am

Got it. Back on the local staging server with the changes:

RULE  ACTION  PROTO  PORT    IP             SPND  DATE
----  ------  -----  ----    --             ----  ----
1     ACCEPT  ICMP   0       0.0.0.0/0      no    2014-09-16
2     ACCEPT  TCP    8083    192.168.1.101  no    2025-12-12
9     ACCEPT  TCP    80,443  0.0.0.0/0      no    2014-09-24
10    ACCEPT  TCP    22      0.0.0.0/0      no    2014-09-16
11    ACCEPT  UDP    443     0.0.0.0/0      no    2025-07-26

-A INPUT -s 192.168.1.101/32 -p tcp -m tcp --dport 8083 -j ACCEPT

Works perfectly. This time I deleted the original firewall rule and replaced it with the IP I needed. Also added a 2nd rule with a backup IP.

@sahsanu as always, thank you for your help and taking the time to work with me. You are an asset to this world of HestiaCP.

Have a great weekend.