The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Host Access Control - Filling up with unknown IP's

Discussion in 'Security' started by th3joker, Mar 12, 2012.

  1. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Our dedicated server has been filling up the Host Access Control web page with unknown IP's.

    When I check the hosts.allow file they aren't in there unless I click the save button on the page.

    I can't work out where they are coming from unless it's a hack or a misconfiguration of csf/fail2ban etc.

    I've made the hosts.allow file immutable in the meantime.

    Has anyone else experienced this?
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    By filling up with unknown IPs, do you mean ALLOW entries or DENY ones, since WHM's Host Access Control will add both of those to /etc/hosts.allow file (rather than the deny ones to /etc/hosts.deny file).

    Next, have you enabled DynDNS on CSF possibly? Here's a guide on how it would have probably been configured:

    Guide on how to Enable DynDNS on your Server | netstat -an | grep -i listen

    That might well add entries to allow for dynamic IPs.
     
  3. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I haven't set up dyndns and the entries have no allow or deny after them but when you save the list it does add in allow, its very strange as the actual hosts.allow file doesn't have the entries unless I manually save the list on that page.

    Here's a snapshot of the page, the IP's are visible as they have no relevance to me or the system. Screen Shot 2012-03-12 at 12.22.37.png
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    Strange. To track down what is happening, could you please submit a ticket using the link in my signature or in WHM > Support Center > Contact cPanel. Please post the ticket number here upon submitting one so we can follow up on the resolution.

    Thanks!
     
  5. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Ticket number: 2405798
     
  6. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Ticket seems to have disappeared??
     
  7. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is pretty disconcerting since I don't actually use WHM Host Access Control I manually edit the hosts.allow file instead, but WHM seems to be using some cached version which is having IP's added into it.
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    There are replies onto the ticket, so it doesn't appear to have disappeared. I also see replies you've made to the ticket after these forum posts.

    Apparently, the IPs are coming from /etc/hosts.deny which isn't used by cPanel at all. You may wish to re-reply to the ticket again if you aren't certain which script you have editing /etc/hosts.deny file.
     
  9. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I added a colleague onto the ticket as a CC when he replied it moved the ticket into his account and I could no longer see or access the ticket on my login.

    We had to then use his login to access the ticket.

    Weird but true.
     
  10. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    It appears that entries in hosts.deny are inserted into the top of the Host Access Control list.
     
  11. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    If it isn't used by cpanel then why is it reading the IP's from the file?
     
  12. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    This is probably something we should investigate in the ticket. That was the purpose of opening it. If you haven't done so, please certainly feel free to post anything into the ticket.
     
  13. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I did that earlier :)
     
  14. th3joker

    th3joker Member

    Joined:
    Mar 12, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    K so the problem lies between portsentry creating hosts.deny entries in the syntax:

    ALL : $TARGET

    which is technically correct and works but cpanel reads both the hosts.allow and hosts.deny when you access "Host Access Control" when you save that page it writes them all into hosts.allow and flushes the entries from hosts.deny

    In the meantime the IP will reside in hosts.deny and function in the intended manner, is there a way to automatically carry out that transfer function just for completeness.

    What I've done is change the configuration in portsentry from:

    KILL_HOSTS_DENY="ALL: $TARGET$"

    To:

    KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"

    This now all functions in the intended way.

    Thanks for all your help glad we could work it out :)
     
Loading...

Share This Page