Blocking Ip's, htaccess works, Host Access Control Dont-- WTF?

mino

Member
Jul 23, 2005
5
0
151
Can't seem to get WHM 11 Host Access Control to block ip's. Went to a domain on the box using http://www.surf-anon.com , saw the ip in logs, blocked the IP in Host Access Control using rule:

Daemon Access List ACTION
ALL 208.76.240.226 deny

surfed the site again, no block, cleared cache/refreshed, no block.

HUH?

Went to IP Deny Manager , added the IP , it blocked fine.

Anyone know why Host Access Control ain't blockin? Isn't Host Access Control supposed to block all traffic to the box on any domain?

WHM 11.15.0 cPanel 11.18.1-R20683
FREEBSD 6.2-RELEASE i386 on standard - WHM X v3.1.0
 

moricio

Member
Apr 30, 2004
24
0
151
Colombia
It DOESN'T WORK.

Yes. This feature DOESN'T WORK at all. You can put as many rules as you like and the box will not obey.

Does ANYONE know how to make it work?

Thanks.

M.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Yes. This feature DOESN'T WORK at all. You can put as many rules as you like and the box will not obey.

Does ANYONE know how to make it work?

Thanks.

M.
This functionality is only intended for daemons that handle logins to the cPanel/WHM system, not to replace the IP Deny Manager functionality available in the cPanel interface.
 

PeteC

Well-Known Member
May 8, 2003
106
1
166
Texas
This functionality is only intended for daemons that handle logins to the cPanel/WHM system, not to replace the IP Deny Manager functionality available in the cPanel interface.
It seems to work well for sshd but not at all for ftp. Is that intended?
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
If you just want to block a few IP's from doing anything and everything on your box you can use IPFW with a basic "ipfw add deny ip from xxx.xxx.xxx.xxx to any" and that would stop everything. Of course you would have to have ipfw/dummynet in the kernel and if you want to keep these rules you would have to add them to one of your startup scripts so you dont lose them on reboots.
 

PeteC

Well-Known Member
May 8, 2003
106
1
166
Texas
If you just want to block a few IP's from doing anything and everything on your box you can use IPFW with a basic "ipfw add deny ip from xxx.xxx.xxx.xxx to any" and that would stop everything. Of course you would have to have ipfw/dummynet in the kernel and if you want to keep these rules you would have to add them to one of your startup scripts so you dont lose them on reboots.
Thanks. I have a firewall (CSF) running on this server which is used to block specific IP's, but the client wants to restrict FTP connections to certain IP's, and it seems like Host Access Control is the friendliest way for him to enter and update his IP list (it's a dedicated box and he has root access). For now I've suggested we close the FTP port 21 (assuming this doesn't create any unwanted side-effects) and then he can enter his rules for SSHD and use only SFTP.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
This functionality relies upon the daemon being built with support for TCP Wrapper. If the daemon doesn't support that (such as pure-ftpd) then the Host Access Control simply will have no effect.
 

PeteC

Well-Known Member
May 8, 2003
106
1
166
Texas
This functionality relies upon the daemon being built with support for TCP Wrapper. If the daemon doesn't support that (such as pure-ftpd) then the Host Access Control simply will have no effect.
Thanks for the explanation; that clears things up. It's hard to find documentation on new features, so I really appreciate it. Since it's basically non-functional for ftp, it would probably be a good idea to remove "ftp (Ftp Server)" from the dropdown list in "Host Access Control" or expand the on-screen instructions there to explain what does and doesn't work.

It's a nice, friendly feature, so it's too bad my client can't use it. He wants to restrict access to most services to his office IP's.
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Thanks for the explanation; that clears things up. It's hard to find documentation on new features, so I really appreciate it. Since it's basically non-functional for ftp, it would probably be a good idea to remove "ftp (Ftp Server)" from the dropdown list in "Host Access Control" or expand the on-screen instructions there to explain what does and doesn't work.

It's a nice, friendly feature, so it's too bad my client can't use it. He wants to restrict access to most services to his office IP's.
ProFTPd support s TCP Wrapper. Likewise other FTP daemons, if you have Pure or Pro disabled.
 

quattr0

Registered
Mar 1, 2008
1
0
51
After last update SSHD was updated with version that does not support Wrapper... no Host Access Control is available at the moment. I'm using

WHM 11.23.2 cPanel 11.23.4-S26138
CENTOS Enterprise 5.2 x86_64 on standard - WHM X v3.1.0

even root ssh access is unable to be restricted from sshd_config...
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
After last update SSHD was updated with version that does not support Wrapper... no Host Access Control is available at the moment. I'm using

WHM 11.23.2 cPanel 11.23.4-S26138
CENTOS Enterprise 5.2 x86_64 on standard - WHM X v3.1.0

even root ssh access is unable to be restricted from sshd_config...
What you describe indicates a problem with the OpenSSH rpm from your Operating System vendor. You can attempt to re-install this rpm to resolve the issue, or open a support request at https://tickets.cpanel.net/submit/