Once you have got your server working, like most Windows users you want to be able to login to the root file system using your favourite FTP program so to that end there are a few hoops you have to jump through first.

Allow SSH Access

• Host Access Control
  • Home »Security Center »Host Access Control
    • At the end of the ALLOW rules add the following
      • Daemon: sshd
      • Access List: [your IP]
      • Action: allow
      • Comment: My SSHD Allow rule
    • Click save
• Firewall record
  
  • Add exception to the firewall (if the firewall is enabled and might not be needed because of the rule above but I have not verified)
    • Home »Plugins »ConfigServer Security & Firewal »csf - Quick Actions » Quick Allow
    • Add your public IP in the box and click. (If you click the cog it should fill in your public IP address)
    • How to add your IP Address to the Firewall (for SSH access) | InMotion Hosting Support Center

Remove SSH Access

• Host Access Control
  • Home »Security Center »Host Access Control
  • Delete the information in the relevant row and click save. This will remove the record.
• Firewall record
  • Home »Plugins »ConfigServer Security & Firewal »csf - ConfigServer Firewall » Firewall Allow IPs
  • Remove the line with your IP on it. It might be commented with 'Manually Added'
  • Click change
  • If prompted to reboot services then do so

Further Information

For reference this is the information I got from my support people while trying to fox this.

Your server is not IP restricted right now, with dynamic IP address we can not restrict server root access as every time your IP address changed you will need to contact us in order to allow new IP address.

Restricting server root access is completely different from server firewall, in order to restrict server root access we will need to add your static IP address for host access control, it can be done from WHM Home »Security Center »Host Access Control, here you will need to add entries like below,

sshd IP_from_which_you_want_to_access_server allow

Till the time you are using dynamic IP address [and root level restriction disabled], you can keep whitelisting IP address in firewall using option Home »Plugins »ConfigServer Security & Firewall

here you will just need to enter IP address just besides the button 'Quick allow'.

These might be the firewall rules added, but I don't know how they are entered.

• filter ALLOWIN 1 14 786 ACCEPT all -- !lo * xxx.xxx.xxx.xxx 0.0.0.0/0
• filter ALLOWOUT 1 10 635 ACCEPT all -- * !lo 0.0.0.0/0 xxx.xxx.xxx.xxx

Notes

• What port is my SSH on?
  • How to to know SSH port on the cPanel server? - Knowledgebase - 24x7servermanagement.com - Easy method
  • How to find out the current port being used by SSH on a WHM based server | Zyxware Technologies - This requires the 'ConfigServer Explorer' plugin
• How to Change the SSH Port with WHM
  • How to Change the SSH Port with WHM
  • change SSH port Via WHM | cPanel Forums
• How to enable SSH
  • How to enable ssh access for root in WHM
  • How to enable sFTP in your Linux VPS? - Knowledgebase - AccuWebHosting
  • SFTP - How to Enable sFTP on your VPS - Hostek.com Wiki
• How to configure SSH
  • How to Secure SSH - cPanel Knowledge Base - cPanel Documentation
• How to configure your SFTP client
  • How to Configure Your SFTP Client - cPanel Knowledge Base - cPanel Documentation