TetraHost Bangladesh

The Official Company Blog

Monthly Archives: February 2026

02 Feb

Securing Virtualizor Panel Access with Firewall and IP Restrictions

Virtualizor is a powerful virtualization control panel, but like any admin interface, it should never be publicly accessible. By default, Virtualizor uses ports 4084 and 4085, which are common targets for brute-force attacks if left open.

In this article, we’ll walk through how we secured our Virtualizor panel by restricting access to trusted IPs only, both at the firewall and application level.

Why Restrict Virtualizor Ports?

Leaving management ports open to the public internet can expose your infrastructure to:

  • Brute-force login attempts
  • API abuse
  • Unauthorized access attempts
  • Automated scans and exploits

The safest approach is layered security: firewall + application-level restrictions.

Step 1: Restrict Ports 4084 & 4085 Using iptables

We configured the server firewall to allow access only from our trusted IP and block everyone else.

# Allow trusted IP
iptables -A INPUT -p tcp -s YOUR.TRUSTED.IP.ADDRESS --dport 4084 -j ACCEPT
iptables -A INPUT -p tcp -s YOUR.TRUSTED.IP.ADDRESS --dport 4085 -j ACCEPT

# Block all other IPs
iptables -A INPUT -p tcp --dport 4084 -j DROP
iptables -A INPUT -p tcp --dport 4085 -j DROP

Important: Always ensure the ACCEPT rules come before the DROP rules to avoid locking yourself out.

You can verify the rule order using:

iptables -L INPUT -n --line-numbers

Step 2: Save Firewall Rules Permanently

On systemd-based servers, we saved the rules using:

iptables-save > /etc/sysconfig/iptables

This ensures the rules persist after reboot.

Step 3: Restrict Virtualizor Panel & API Access

Firewall protection alone is not enough. We also applied restrictions inside Virtualizor:

  • Panel Access Restriction
    Virtualizor >> Configuration >> Master Settings >> Security
    >> Allowed IP list to Access Panel
  • API Access Restriction
    Virtualizor >> Configuration >> Master Settings >> Security
    >> Allowed IP list to restrict API operations

This ensures that even if firewall rules change, access remains locked down.

Step 4: Enable Two-Factor Authentication (2FA)

Finally, we enabled Two-Factor Authentication from:

Virtualizor >> Configuration >> Two Factor Authentication

This adds an extra security layer even if credentials are compromised.

Final Thoughts

By combining:

  • Firewall-level IP restriction
  • Virtualizor panel & API IP whitelisting
  • Two-Factor Authentication

This should significantly reduce the attack surface of your Virtualizor environment.

Best practice: Admin panels should always be accessible only from trusted networks — never the open internet.