Host Access Control by Country?

[4u123]

The documentation for this says the only supported services are cpanel, whm,webmail and webdav but I see lots of services listed when using the feature in WHM, including smtp, ssh, ftp, imap, pop3 etc etc. Are these all supported?

Is there a practical limit to how many IP's / ranges can be used?

Does this feature use it's own service / process in front of each service? How does it work exactly?

Why won't it accept CIDR ranges?

Basically I'm looking for a more practical way to perform country based access control to certain services, without having lots of iptables rules.

I'd really like to use Maxmind's Geoip database to allow access to a specific service, (e.g, smtp) to a dozen or so countries, while denying everyone else. It would be awesome if someone developed a WHM plugin to do that.

In the meantime it occurred to me that I could simply convert the geoip country data into the format required and include the ranges in the hosts.allow file. I realise that this would consist of a couple of thousand entries and I don't know what effect that might have - but, as long as it only delayed the initial access to the service for a few seconds, it would probably be ok.

I think it would be of great benefit to have the ability to easily allow / deny access to specific services based on country and I'd be interested to hear your thoughts.

 

[vanessa]

The documentation for this says the only supported services are cpanel, whm,webmail and webdav but I see lots of services listed when using the feature in WHM, including smtp, ssh, ftp, imap, pop3 etc etc. Are these all supported?

The feature you're referring to, iirc, only works for cPanel services - cPanel/WHM/Webmail.

Is there a practical limit to how many IP's / ranges can be used?

No, but I'm sure at some point it's possible for a limit to get hit.

Does this feature use it's own service / process in front of each service? How does it work exactly?

It does not use a separate process. The existing daemons deny access based on what's in the deny list you create.

Why won't it accept CIDR ranges?

It wasn't designed to. You'd have to ask cPanel why they chose not to allow ranges.

Basically I'm looking for a more practical way to perform country based access control to certain services, without having lots of iptables rules.

Using iptables is probably much more efficient than using a software-based firewall.

I'd really like to use Maxmind's Geoip database to allow access to a specific service, (e.g, smtp) to a dozen or so countries, while denying everyone else. It would be awesome if someone developed a WHM plugin to do that.

Have you looked at CSF?

 

[4u123]

The feature you're referring to, iirc, only works for cPanel services - cPanel/WHM/Webmail.

I think the documentation needs improving. I wonder why all services are listed as choices in the application. The example provided on the top of the page actually uses SSH - so I think they have added this functionality to at least some other services. I haven't tested any of them - I'm currently only controlling access to WHM with this feature.

It wasn't designed to. You'd have to ask cPanel why they chose not to allow ranges.

It's really impractical to do it this way. I feel a feature request is in order here.

Using iptables is probably much more efficient than using a software-based firewall.

I disagree. iptables is a software firewall and all the rules are held in memory. The more rules you have, the slower access becomes to all services. A service based access control system wouldn't impact on the overall performance of the server.

Have you looked at CSF?

Of course - but as mentioned, using iptables is not practical for this type of access control. It requires a large number of IP ranges which would dramatically slow down access to all services on the server.

With a process tied into a particular service, any delays are experienced at the moment the host attempts to access that service, causing no impact on HTTP traffic, which for a web server is important.

What differentiates this from a firewall is that we are talking about authenticated services. It is now becoming more important to lock down anything with a password that sits on the public network. More refined control is needed over these services.

Considering that our servers are hammered every day with brute force login attempts from countries where we do not have customers - and they have so many thousands of IP's in their botnets, the likes of LFD and cPHulk are rendered almost useless, there needs to be a new solution to simply deny access to services from places where access is not required. It's time to take a more proactive approach in my opinion.

The host access control feature in WHM is most definitely a step in the right direction, but I'd really like to see this being improved upon, or someone developing a commercial Geoip based solution.

In the future I'd like to see this type of access control managed by the users themselves - so in cpanel the customer could decide what countries from which they want to allow access to their ftp, cpanel, pop/imap and smtp services.

 

[cPanelMichael]

Hello

You can find documentation on this option here:

Host Access Control

It's import to keep in mind that this option is essentially just a user interface for your system's /etc/hosts.allow file. While we document our services that are manageable in the /etc/hosts.allow file, you can govern any service linked to TCP Wrappers using this feature. The lack of support for CIDR is not something that's a result of how cPanel developed this option, but rather it's because that's what the operating system dictates for the /etc/hosts.allow file. Any changes to the backend of this option would need to come from the OS (E.g. Redhat).

Thank you.

 

[joriehil]

You can produce the CIDR range by country using IP2Location Firewall Script