The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Host Access Control proper usage?

Discussion in 'Security' started by kpmedia, May 26, 2013.

  1. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    I want to block some useless /8 ranges from accessing certain services, but I can't figure out how do do it without having to add lots of single rules. (This should be easy!) Right now, I have this:

    Daemon: pop3d
    Access List: ALL EXCEPT 23.*.*.* 27.*.*.* 85.*.*.* 94.*.*.* 110.*.*.* 112.*.*.* 115.*.*.* 116.*.*.* 121.*.*.* 122.*.*.* 123.*.*.* 124.*.*.* 125.*.*.* 130.*.*.* 134.*.*.* 183.*.*.* 187.*.*.* 194.*.*.* 210.*.*.* 218.*.*.* 219.*.*.* 220.*.*.*
    Action: allow

    But today I got an email that the Chinese (as usual) were trying to get in from 218.*.*.*
    So it's not working.

    Is the rule bad, or is the feature not working?

    And if it's the rule, what else needs to be done instead?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    652
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    This option is documented at:

    Host Access Control

    Per this document:

    The ranges of addresses in these rules must use wildcards (192.168.0.*) instead of CIDR notation (192.168.0.1/24).

    Thus, the entries you are using should work as intended. Have you tried denying the IP addresses directly instead of using an "ALL EXCEPT" rule?

    Thank you.
     
  3. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    I saw that document, but it's terrible because it doesn't give any usage examples.
    Hence me guessing, and writing the above rule.
    However, just yesterday, I got an attempt to login from a 218.*.*.* IP, and CSF had to take over.
    So I'm under the impression it does not work, and I guessed wrong.
    It's not being blocked in cPanel.

    How would I write a "denying the IP addresses directly" rule?

    Either my rule is bad, or the feature has bugs (is bad).
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    652
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Our documentation indicates the rule you are using should work. The only potential difference I see is that you are using multiple wildcards in the IP address. Could you open a support ticket so we can reproduce the issue and file an internal case if necessary? You can open a ticket via:

    Submit A Ticket

    Please provide us with the ticket number so we can track the issue.

    Thank you.
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Per the available documentation on TCP Wrappers[1] (which is the underlying technology for Host Access Control) you should format your rules like:

    ALL EXCEPT 23. 27.

    You should find more info in the hosts_access man page.


    1. 42.5. TCP Wrappers and xinetd
     
  6. kpmedia

    kpmedia Well-Known Member

    Joined:
    Feb 13, 2011
    Messages:
    85
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA, Europe
    cPanel Access Level:
    Root Administrator
    That was it. :)

    It was in "42.5.2.1.2. Patterns" of that document.

    Just now re-visited this, saw your reply. Thanks much.
     
Loading...

Share This Page