[Case 48372] IP Deny Manager Question

RedactUK

Member
Apr 22, 2004
15
0
151
I usually maintain any IP address denies in my .htaccess manually, however I've just moved an account over to an new VPS, and while doing some admin in cPanel I looked at the IP Manager, and apart from list of IPs I know about from the .htaccess file the FIRST entry is Server=all Beinning IP=all Ending IP=all. Where is that coming from? I tried to remove it and it ignored my attempt.

Thanks
 

RedactUK

Member
Apr 22, 2004
15
0
151
Not sure what that is. You can't edit the htaccess manually and remove it?
All I have in this .htaccess to test this is:

Code:
## protect .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files> 

## ban IP addresses
deny from 67.228.217.155
deny from 75.126.156.15
* Is must longer list of denies but removed for readability
 

Infopro

Well-Known Member
May 20, 2003
17,090
518
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
no it wasn't
I asked because this was the only mention I could find of this:
support.hostgator.com/articles/cpanel/how-do-i-deny-ip-address-access

A screenshot of this area on one of my servers below, can you share yours please? (I'm curious about what you're seeing.)
 

Attachments

JawadArshad

Well-Known Member
PartnerNOC
Apr 8, 2008
459
7
68
PK
cPanel Access Level
DataCenter Provider
Can you comment these lines for a few moments and see if the =all still is visible in IP deny Manager.

Code:
<Files .htaccess>
order allow,deny
deny from all
</Files>
I believe for every "all" entry in .htaccess, cPanel IP deny manager will add such a line in "IP Deny Manager".

I usually maintain any IP address denies in my .htaccess manually, however I've just moved an account over to an new VPS, and while doing some admin in cPanel I looked at the IP Manager, and apart from list of IPs I know about from the .htaccess file the FIRST entry is Server=all Beinning IP=all Ending IP=all. Where is that coming from? I tried to remove it and it ignored my attempt.

Thanks
 
Last edited:

RedactUK

Member
Apr 22, 2004
15
0
151
Can you comment these lines for a few moments and see if the =all still is visible in IP deny Manager.
Ok that removed the lines. I thought that was just applicable to .htaccess?! Additionally I have that same entry on other accounts on other servers and in not one single case does it cause these 'all' entries in IP Deny Manager. So I'm guessing that maybe for some reason the <files> section is not being parased correctly and instead just the 'deny all' is being picked up?

Note: I'm running suPHP on this server. Does that interfere with the <Files .htaccess> section>
 
Last edited:

JawadArshad

Well-Known Member
PartnerNOC
Apr 8, 2008
459
7
68
PK
cPanel Access Level
DataCenter Provider
It is not about SuPHP. If you comment only the line that contains "all", you should not get this entry in IP Deny Manager unless I am taking it wrong.

Ok that removed the lines. I thought that was just applicable to .htaccess?! Additionally I have that same entry on other accounts on other servers and in not one single case does it cause these 'all' entries in IP Deny Manager. So I'm guessing that maybe for some reason the <files> section is not being parased correctly and instead just the 'deny all' is being picked up?

Note: I'm running suPHP on this server. Does that interfere with the <Files .htaccess> section>
 

RedactUK

Member
Apr 22, 2004
15
0
151
If you comment only the line that contains "all", you should not get this entry in IP Deny Manager unless I am taking it wrong.
The point is WHY is IP Deny Manager picking up the "deny all" i've quoted when that entry is specifically for .htaccess?! Either this is a bug with IP Deny Manager OR the <Files .htaccess> .... </Files> is not being parsed correctly.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
What I don't understand is why you'd have the following:

Code:
## protect .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files> 

## ban IP addresses
deny from 67.228.217.155
deny from 75.126.156.15
When you have "deny from all" in your .htaccess in this way, then all IPs are denied and you can then only allow select IPs using "allow from IP#" rather than ban select IPs at that point. As such, first off, what is the purpose of having the initial "deny from all" entry then additional denied IPs? You are basically denying all IPs at the onset anyway. Once I understand the purpose, I could see why the IP deny manager is functioning the way it is, but right now, the configuration doesn't make sense to me. It would make sense if you wanted to deny all the IPs, then allow select IPs, but not to deny all IPs, then to deny more IPs afterward.

Edit: All right, I should have woken up more first before replying above. I get what the issue happens to be. The denial is for the .htaccess file itself rather than the entire site configuration. Let me test this on a cPanel machine on the latest EDGE to see if it shows the same issue. If it does, then it is misreading the configuration by not properly parsing the fact it is stating only the .htaccess is denied not the entire site.
 

RedactUK

Member
Apr 22, 2004
15
0
151
Tristan, I use the <Files .htaccess> section on all my accounts on my other server, and IP Deny Manager never shows a "deny all". This has only happened on this new VPS. Only reason I mention suPHP is that that is one of the difference between the setups, but maybe I've missed some WHM service/component that is affecting how the .htaccess file is being parsed.
 
Last edited:

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
I have been able to reproduce this issue per my testing on 11.28.86-EDGE_51183 and opened internal case #48372 about it. I've flagged this forum thread to that case number now. Thank you for bringing this to our attention.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Tristan, I use the <Files .htaccess> section on all my accounts on my other server, and IP Deny Manager never shows a "deny all". This has only happened on this new VPS. Only reason I mention suPHP is that that is one of the difference between the setups, but maybe I've missed some WHM service/component that is affecting how the .htaccess file is being parsed.
I tested it on DSO, CGI, suPHP and FCGI for the PHP handlers. It shows the all entries for every single PHP handler selected, so it isn't the handler impacting the setting. I've attached an example screen print of what is showing:

Screen shot 2011-03-28 at 12.12.06 PM.png
 

RedactUK

Member
Apr 22, 2004
15
0
151
Thank you for testing this, and I'll leave it with your guys for a future fix.

It should be noted that it seems IP Deny Manager is just picking this up incorrectly for display and isn't actually denying all IPs (thankfully!)
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You are right on that, RedactUK. IP Deny Manager itself isn't editing the .htaccess to change the entry from a <Files .htaccess></Files> one for denying. Because it isn't able to edit it, it isn't making it one that denies all IPs for the entire site.

My case actually mentions the possibility for adding a content section for IP Deny Manager to where rather than simply denying IPs for the entire site, it might instead allow denying IPs along with set files and/or folders instead, since by being able to read an entry such as you've described for denying access to .htaccess, it is actually going to have to add a Content column in the existing page. If such a Content column is added, it would be nice to be able to specify a Content during the IP deny itself.