Blocking Ip's, htaccess works, Host Access Control Dont-- WTF?

[mino]

Can't seem to get WHM 11 Host Access Control to block ip's. Went to a domain on the box using http://www.surf-anon.com , saw the ip in logs, blocked the IP in Host Access Control using rule:

Daemon Access List ACTION
ALL 208.76.240.226 deny

surfed the site again, no block, cleared cache/refreshed, no block.

HUH?

Went to IP Deny Manager , added the IP , it blocked fine.

Anyone know why Host Access Control ain't blockin? Isn't Host Access Control supposed to block all traffic to the box on any domain?

WHM 11.15.0 cPanel 11.18.1-R20683
FREEBSD 6.2-RELEASE i386 on standard - WHM X v3.1.0

[mino]

Hmmm. Looks like everyone else is just as stumped as i am..

[moricio]

Yes. This feature DOESN'T WORK at all. You can put as many rules as you like and the box will not obey.

Does ANYONE know how to make it work?

Thanks.

M.

[cPanelDavidG]

Yes. This feature DOESN'T WORK at all. You can put as many rules as you like and the box will not obey.

Does ANYONE know how to make it work?

Thanks.

M.

This functionality is only intended for daemons that handle logins to the cPanel/WHM system, not to replace the IP Deny Manager functionality available in the cPanel interface.

[PeteC]

This functionality is only intended for daemons that handle logins to the cPanel/WHM system, not to replace the IP Deny Manager functionality available in the cPanel interface.

It seems to work well for sshd but not at all for ftp. Is that intended?

[nyjimbo]

If you just want to block a few IP's from doing anything and everything on your box you can use IPFW with a basic "ipfw add deny ip from xxx.xxx.xxx.xxx to any" and that would stop everything. Of course you would have to have ipfw/dummynet in the kernel and if you want to keep these rules you would have to add them to one of your startup scripts so you dont lose them on reboots.

[PeteC]

If you just want to block a few IP's from doing anything and everything on your box you can use IPFW with a basic "ipfw add deny ip from xxx.xxx.xxx.xxx to any" and that would stop everything. Of course you would have to have ipfw/dummynet in the kernel and if you want to keep these rules you would have to add them to one of your startup scripts so you dont lose them on reboots.

Thanks. I have a firewall (CSF) running on this server which is used to block specific IP's, but the client wants to restrict FTP connections to certain IP's, and it seems like Host Access Control is the friendliest way for him to enter and update his IP list (it's a dedicated box and he has root access). For now I've suggested we close the FTP port 21 (assuming this doesn't create any unwanted side-effects) and then he can enter his rules for SSHD and use only SFTP.

[cPanelKenneth]

This functionality relies upon the daemon being built with support for TCP Wrapper. If the daemon doesn't support that (such as pure-ftpd) then the Host Access Control simply will have no effect.

[PeteC]

This functionality relies upon the daemon being built with support for TCP Wrapper. If the daemon doesn't support that (such as pure-ftpd) then the Host Access Control simply will have no effect.

Thanks for the explanation; that clears things up. It's hard to find documentation on new features, so I really appreciate it. Since it's basically non-functional for ftp, it would probably be a good idea to remove "ftp (Ftp Server)" from the dropdown list in "Host Access Control" or expand the on-screen instructions there to explain what does and doesn't work.

It's a nice, friendly feature, so it's too bad my client can't use it. He wants to restrict access to most services to his office IP's.

[cPanelKenneth]

Thanks for the explanation; that clears things up. It's hard to find documentation on new features, so I really appreciate it. Since it's basically non-functional for ftp, it would probably be a good idea to remove "ftp (Ftp Server)" from the dropdown list in "Host Access Control" or expand the on-screen instructions there to explain what does and doesn't work.

It's a nice, friendly feature, so it's too bad my client can't use it. He wants to restrict access to most services to his office IP's.

ProFTPd support s TCP Wrapper. Likewise other FTP daemons, if you have Pure or Pro disabled.

[PeteC]

ProFTPd support s TCP Wrapper. Likewise other FTP daemons, if you have Pure or Pro disabled.

Interesting. I haven't used ProFTPd in several years, but I'll put that to the customer as an option. Thanks again.

[quattr0]

After last update SSHD was updated with version that does not support Wrapper... no Host Access Control is available at the moment. I'm using

WHM 11.23.2 cPanel 11.23.4-S26138
CENTOS Enterprise 5.2 x86_64 on standard - WHM X v3.1.0

even root ssh access is unable to be restricted from sshd_config...

[cPanelKenneth]

After last update SSHD was updated with version that does not support Wrapper... no Host Access Control is available at the moment. I'm using

WHM 11.23.2 cPanel 11.23.4-S26138
CENTOS Enterprise 5.2 x86_64 on standard - WHM X v3.1.0

even root ssh access is unable to be restricted from sshd_config...

What you describe indicates a problem with the OpenSSH rpm from your Operating System vendor. You can attempt to re-install this rpm to resolve the issue, or open a support request at https://tickets.cpanel.net/submit/