Host Access Control proper usage?

[kpmedia]

I want to block some useless /8 ranges from accessing certain services, but I can't figure out how do do it without having to add lots of single rules. (This should be easy!) Right now, I have this:

Daemon: pop3d
Access List: ALL EXCEPT 23.*.*.* 27.*.*.* 85.*.*.* 94.*.*.* 110.*.*.* 112.*.*.* 115.*.*.* 116.*.*.* 121.*.*.* 122.*.*.* 123.*.*.* 124.*.*.* 125.*.*.* 130.*.*.* 134.*.*.* 183.*.*.* 187.*.*.* 194.*.*.* 210.*.*.* 218.*.*.* 219.*.*.* 220.*.*.*
Action: allow

But today I got an email that the Chinese (as usual) were trying to get in from 218.*.*.*
So it's not working.

Is the rule bad, or is the feature not working?

And if it's the rule, what else needs to be done instead?

 

[cPanelMichael]

Hello

This option is documented at:

Host Access Control

Per this document:

The ranges of addresses in these rules must use wildcards (192.168.0.*) instead of CIDR notation (192.168.0.1/24).

Thus, the entries you are using should work as intended. Have you tried denying the IP addresses directly instead of using an "ALL EXCEPT" rule?

Thank you.

 

[kpmedia]

I saw that document, but it's terrible because it doesn't give any usage examples.
Hence me guessing, and writing the above rule.
However, just yesterday, I got an attempt to login from a 218.*.*.* IP, and CSF had to take over.
So I'm under the impression it does not work, and I guessed wrong.
It's not being blocked in cPanel.

How would I write a "denying the IP addresses directly" rule?

Either my rule is bad, or the feature has bugs (is bad).

 

[cPanelMichael]

Our documentation indicates the rule you are using should work. The only potential difference I see is that you are using multiple wildcards in the IP address. Could you open a support ticket so we can reproduce the issue and file an internal case if necessary? You can open a ticket via:

Submit A Ticket

Please provide us with the ticket number so we can track the issue.

Thank you.

 

[cPanelKenneth]

Per the available documentation on TCP Wrappers[1] (which is the underlying technology for Host Access Control) you should format your rules like:

ALL EXCEPT 23. 27.

You should find more info in the hosts_access man page.


1. 42.5. TCP Wrappers and xinetd

 

[kpmedia]

That was it.

IP address ending with a period (.) — Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. The following example applies to any host within the 192.168.x.x network:

ALL : 192.168.

It was in "42.5.2.1.2. Patterns" of that document.

Just now re-visited this, saw your reply. Thanks much.