The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking Ip's, htaccess works, Host Access Control Dont-- WTF?

Discussion in 'General Discussion' started by mino, Feb 23, 2008.

  1. mino

    mino Member

    Joined:
    Jul 23, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Can't seem to get WHM 11 Host Access Control to block ip's. Went to a domain on the box using http://www.surf-anon.com , saw the ip in logs, blocked the IP in Host Access Control using rule:

    Daemon Access List ACTION
    ALL 208.76.240.226 deny

    surfed the site again, no block, cleared cache/refreshed, no block.

    HUH?

    Went to IP Deny Manager , added the IP , it blocked fine.

    Anyone know why Host Access Control ain't blockin? Isn't Host Access Control supposed to block all traffic to the box on any domain?

    WHM 11.15.0 cPanel 11.18.1-R20683
    FREEBSD 6.2-RELEASE i386 on standard - WHM X v3.1.0
     
  2. mino

    mino Member

    Joined:
    Jul 23, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hmmm. Looks like everyone else is just as stumped as i am..
     
  3. moricio

    moricio Member

    Joined:
    Apr 30, 2004
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Colombia
    It DOESN'T WORK.

    Yes. This feature DOESN'T WORK at all. You can put as many rules as you like and the box will not obey.

    Does ANYONE know how to make it work?

    Thanks.

    M.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    This functionality is only intended for daemons that handle logins to the cPanel/WHM system, not to replace the IP Deny Manager functionality available in the cPanel interface.
     
  5. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    It seems to work well for sshd but not at all for ftp. Is that intended?
     
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    If you just want to block a few IP's from doing anything and everything on your box you can use IPFW with a basic "ipfw add deny ip from xxx.xxx.xxx.xxx to any" and that would stop everything. Of course you would have to have ipfw/dummynet in the kernel and if you want to keep these rules you would have to add them to one of your startup scripts so you dont lose them on reboots.
     
  7. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    Thanks. I have a firewall (CSF) running on this server which is used to block specific IP's, but the client wants to restrict FTP connections to certain IP's, and it seems like Host Access Control is the friendliest way for him to enter and update his IP list (it's a dedicated box and he has root access). For now I've suggested we close the FTP port 21 (assuming this doesn't create any unwanted side-effects) and then he can enter his rules for SSHD and use only SFTP.
     
  8. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This functionality relies upon the daemon being built with support for TCP Wrapper. If the daemon doesn't support that (such as pure-ftpd) then the Host Access Control simply will have no effect.
     
  9. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    Thanks for the explanation; that clears things up. It's hard to find documentation on new features, so I really appreciate it. Since it's basically non-functional for ftp, it would probably be a good idea to remove "ftp (Ftp Server)" from the dropdown list in "Host Access Control" or expand the on-screen instructions there to explain what does and doesn't work.

    It's a nice, friendly feature, so it's too bad my client can't use it. He wants to restrict access to most services to his office IP's.
     
  10. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    ProFTPd support s TCP Wrapper. Likewise other FTP daemons, if you have Pure or Pro disabled.
     
  11. PeteC

    PeteC Well-Known Member

    Joined:
    May 8, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    Interesting. I haven't used ProFTPd in several years, but I'll put that to the customer as an option. Thanks again.
     
  12. quattr0

    quattr0 Registered

    Joined:
    Mar 1, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    After last update SSHD was updated with version that does not support Wrapper... no Host Access Control is available at the moment. I'm using

    WHM 11.23.2 cPanel 11.23.4-S26138
    CENTOS Enterprise 5.2 x86_64 on standard - WHM X v3.1.0

    even root ssh access is unable to be restricted from sshd_config...
     
  13. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What you describe indicates a problem with the OpenSSH rpm from your Operating System vendor. You can attempt to re-install this rpm to resolve the issue, or open a support request at https://tickets.cpanel.net/submit/
     
Loading...

Share This Page