I would like to disable login to cyberpanel with IP address is that possible? That way I could create cloudflare bot fight and make firewall rule to block/challenge all traffic to panel what not originate from my country.
I have used cloudflare bot fight and firewall rules to protect my websites, it’s been super effective with all bad traffic. Would be nice I could use it for protect my server admin area too.
Change cyberpanel default port of 8090 to something else. If you are using cloudflare then make sure to use port numbers which are supported by cloudflare (you can find the supported port numbers in cloudflare knowledgebase). Also make sure to whitelist the changed port number in your firewall before changing the port number, other you will be locked out and wont be able to access cyberpanel
Add 2 factor authentication to your admin level accounts in cyberpanel
Without knowing your cyberpanel port number, none can really find out and have access to your cyberpanel login.
Cyberpanel is audited by Rack911 Labs for security and have been constantly updating as per their recommendation.
I have done all steps you mentioned.
Just would to beef up security one step more, by disabling login with IP and use cloudflare make it even more secure.
But I understand with custom port, its pretty difficult to attackers enter login area. But extra security never hurts.
I just set server running with aapanel they have security function for login page, they add end off address random text like 111.111.111.111:8888/g565hwre that kind would make cyberpanel too much more safe too. If developers see this please consider that in future updates.