The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Host Access Control by Country?

Discussion in 'Security' started by 4u123, Feb 27, 2014.

  1. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    The documentation for this says the only supported services are cpanel, whm,webmail and webdav but I see lots of services listed when using the feature in WHM, including smtp, ssh, ftp, imap, pop3 etc etc. Are these all supported?

    Is there a practical limit to how many IP's / ranges can be used?

    Does this feature use it's own service / process in front of each service? How does it work exactly?

    Why won't it accept CIDR ranges?

    Basically I'm looking for a more practical way to perform country based access control to certain services, without having lots of iptables rules.

    I'd really like to use Maxmind's Geoip database to allow access to a specific service, (e.g, smtp) to a dozen or so countries, while denying everyone else. It would be awesome if someone developed a WHM plugin to do that.

    In the meantime it occurred to me that I could simply convert the geoip country data into the format required and include the ranges in the hosts.allow file. I realise that this would consist of a couple of thousand entries and I don't know what effect that might have - but, as long as it only delayed the initial access to the service for a few seconds, it would probably be ok.

    I think it would be of great benefit to have the ability to easily allow / deny access to specific services based on country and I'd be interested to hear your thoughts.
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    The feature you're referring to, iirc, only works for cPanel services - cPanel/WHM/Webmail.

    No, but I'm sure at some point it's possible for a limit to get hit.

    It does not use a separate process. The existing daemons deny access based on what's in the deny list you create.

    It wasn't designed to. You'd have to ask cPanel why they chose not to allow ranges.

    Using iptables is probably much more efficient than using a software-based firewall.

    Have you looked at CSF?
     
  3. 4u123

    4u123 Well-Known Member
    PartnerNOC

    Joined:
    Jan 2, 2006
    Messages:
    765
    Likes Received:
    1
    Trophy Points:
    18
    I think the documentation needs improving. I wonder why all services are listed as choices in the application. The example provided on the top of the page actually uses SSH - so I think they have added this functionality to at least some other services. I haven't tested any of them - I'm currently only controlling access to WHM with this feature.

    It's really impractical to do it this way. I feel a feature request is in order here.

    I disagree. iptables is a software firewall and all the rules are held in memory. The more rules you have, the slower access becomes to all services. A service based access control system wouldn't impact on the overall performance of the server.

    Of course - but as mentioned, using iptables is not practical for this type of access control. It requires a large number of IP ranges which would dramatically slow down access to all services on the server.

    With a process tied into a particular service, any delays are experienced at the moment the host attempts to access that service, causing no impact on HTTP traffic, which for a web server is important.

    What differentiates this from a firewall is that we are talking about authenticated services. It is now becoming more important to lock down anything with a password that sits on the public network. More refined control is needed over these services.

    Considering that our servers are hammered every day with brute force login attempts from countries where we do not have customers - and they have so many thousands of IP's in their botnets, the likes of LFD and cPHulk are rendered almost useless, there needs to be a new solution to simply deny access to services from places where access is not required. It's time to take a more proactive approach in my opinion.

    The host access control feature in WHM is most definitely a step in the right direction, but I'd really like to see this being improved upon, or someone developing a commercial Geoip based solution.

    In the future I'd like to see this type of access control managed by the users themselves - so in cpanel the customer could decide what countries from which they want to allow access to their ftp, cpanel, pop/imap and smtp services.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can find documentation on this option here:

    Host Access Control

    It's import to keep in mind that this option is essentially just a user interface for your system's /etc/hosts.allow file. While we document our services that are manageable in the /etc/hosts.allow file, you can govern any service linked to TCP Wrappers using this feature. The lack of support for CIDR is not something that's a result of how cPanel developed this option, but rather it's because that's what the operating system dictates for the /etc/hosts.allow file. Any changes to the backend of this option would need to come from the OS (E.g. Redhat).

    Thank you.
     
  5. joriehil

    joriehil Registered

    Joined:
    Sep 12, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
Loading...

Share This Page