Skip to main content

Host Access Control not working

Comments

20 comments

  • cPRex Jurassic Moderator
    Hey there! That certainly looks right, and follows the details outlined at Host Access Control | cPanel & WHM Documentation If you run this command on the system, does it properly return your rules? nft -a list chain inet filter cPanel-HostAccessControl
    0
  • tom9909
    Hey there! That certainly looks right, and follows the details outlined at
    0
  • cPRex Jurassic Moderator
    Thanks for the additional details. This is one of those things that should "just work" so could you open a ticket with our team so we can take a look at this directly on the machine?
    0
  • tom9909
    Thanks for the additional details. This is one of those things that should "just work" so could you open a ticket with our team so we can take a look at this directly on the machine?

    Thank you for confirming I wasn't doing something incorrectly :) I've raised a support case #94520897 for further investigation. Cheers
    0
  • cPRex Jurassic Moderator
    Thanks for that - it looks like we were able to reset the Host Access Control tools by running "/usr/local/cpanel/scripts/configure_firewall_for_cpanel" - after doing that, we tested things as working properly in the ticket.
    0
  • tom9909
    Thank you, I can confirm its now working :)
    0
  • cPRex Jurassic Moderator
    I'm glad to hear it!
    0
  • ANZEEQ

    Hi, Sorry to hijack the topic, but i have a similar issue where the rules goes empty after server is restarted, any idea why ?

    0
  • ANZEEQ

    Following are my specs fyi

    OS: AlmaLinux v8.10.0 STANDARD standard ( Upgraded from CentOS 7 using elevate script )

    WHM/cPanel Version: 120.0.14

    CSF: 14.20

    0
  • cPRex Jurassic Moderator

    ANZEEQ - can you ensure that nftables is running when the server is started?  You can use this command to check the status:

    systemctl status nftables

    We're do *not* want to see output similar to this, showing it is not enabled:

     nftables.service - Netfilter Tables
    Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
    Active: inactive (dead)
    Docs: man:nft(8)
    0
  • ANZEEQ

    Well to what i see its running but still not working as intended as any public Ip is able to view the page

    [root@platinum ~]# systemctl status nftables
    ● nftables.service - Netfilter Tables
       Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
       Active: active (exited) since Wed 2024-07-31 13:17:57 +08; 6min ago
         Docs: man:nft(8)
      Process: 565934 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)
     Main PID: 565934 (code=exited, status=0/SUCCESS)

    Jul 31 13:17:57 platinum.gh-solutions.biz systemd[1]: Starting Netfilter Tables...
    Jul 31 13:17:57 platinum.gh-solutions.biz systemd[1]: Started Netfilter Tables.

    0
  • ANZEEQ

    As shown this will go empty one server has been rebooted, any idea to make it sticky??

    0
  • tom9909

    ANZEEQ Here is the notes I've taken from the issue. Hopefully they work for you too. 

    It's probably best to reset your host access controls, reboot and then start again as per the below.

    Best of luck

     

    Note regarding Host Access Control:

    CloudLinux/AlmaLinux both cannot use firewalld service, but should instead use nftables to manage host access

     

    To check the service status of FirewallD and nftables use the following:

    systemctl status firewalld (should be disabled)

    systemctl status nftables (should be enabled)

     

    To disable firewalld run systemctl disable firewalld

    To enable the nftables service systemctl enable nftables

    The server will then need to be restarted to ensure the firewall is cleared of any incompatible rules.

     

    The rules live in the file: /etc/sysconfig/nftables.conf

    Rules can be seen by running: nft -a list chain inet filter cPanel-HostAccessControl

    Run: cat /etc/sysconfig/nftables.conf | grep -A5 INPUT to ensure that jump cPanel-support-access exists so that nftables can look to the host access list above

     

    To reset host access control and inetfilter run: /scripts/configure_firewall_for_cpanel

    0
  • ANZEEQ

    Hi guys,

    I have tried everything as mentioned above, the rules just goes blank on every reboot, my findings are as below , masked for privacy:

    As for this cmd: cat /etc/sysconfig/nftables.conf | grep -A5 INPUT , yes i could see the jump cPanel-support-access

            chain INPUT {
                    type filter hook input priority filter; policy accept;
                    counter packets 271567 bytes 97416955 jump cPanel-HostAccessControl
                    counter packets 271454 bytes 97410487 jump cP-Firewall-1-INPUT
            }

            chain FORWARD {
                    type filter hook forward priority filter; policy accept;
                    counter packets 0 bytes 0 jump cPanel-HostAccessControl
                    counter packets 0 bytes 0 jump cP-Firewall-1-INPUT
            }



    [root@platinum ~]# nft -a list chain inet filter cPanel-HostAccessControl
    table inet filter {
            chain cPanel-HostAccessControl { # handle 5
                  ip saddr 165.XXX.XXX.XX2 ct state new tcp dport 2XXX counter packets 1 bytes 60 accept # handle 11
                  ip saddr 165.XXX.XXX.XX2 ct state new tcp dport 2087 counter packets 24 bytes 1256 accept # handle 12
                  ip saddr 165.XXX.XXX.XX2 ct state new tcp dport 7XXX counter packets 5 bytes 268 accept # handle 13
                  ip saddr 165.XXX.XXX.XX2 ct state new tcp dport 1XXX counter packets 20 bytes 1048 accept # handle 14
                  ct state new tcp dport 2XXX counter packets 6 bytes 328 drop # handle 15
                    ct state new tcp dport 2087 counter packets 96 bytes 5728 drop # handle 16
                  ct state new tcp dport 7XXX counter packets 96 bytes 5728 drop # handle 17
                  ct state new tcp dport 1XXX counter packets 7 bytes 348 drop # handle 18
                  ct state new tcp dport 2XXX counter packets 11 bytes 660 drop # handle 19
            }
    }
    [root@platinum ~]#
    [root@platinum ~]# systemctl status nftables.service
    ● nftables.service - Netfilter Tables
       Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
       Active: active (exited) since Thu 2024-08-29 07:35:53 +08; 9min ago
         Docs: man:nft(8)
      Process: 9148 ExecStop=/sbin/nft flush ruleset (code=exited, status=0/SUCCESS)
      Process: 9150 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)
     Main PID: 9150 (code=exited, status=0/SUCCESS)
        Tasks: 0 (limit: 100381)
       Memory: 0B
       CGroup: /system.slice/nftables.service

    Aug 29 07:35:53 platinum.XXX-XXX.biz systemd[1]: Starting Netfilter Tables...
    Aug 29 07:35:53 platinum.XXX-XXX.biz systemd[1]: Started Netfilter Tables.
    [root@platinum ~]#

    The moment the server is rebooted, all are gone !!! Any idea what i am doing wrongly ???

    0
  • tom9909

    Hi ANZEEQ

    It sounds to me like firewalld is still starting, are you sure that the service is disabled as per this KB issue and my advise above? 

    firewall-cmd --state
    systemctl status firewalld

    To disable the service so that it will not start the next time that you reboot the server issue the following command:

    systemctl disable firewalld
    0
  • ANZEEQ

    Hi tom9909,

    As shown below:

    [root@platinum ~]# systemctl status firewalld
    ● firewalld.service
       Loaded: masked (Reason: Unit firewalld.service is masked.)
       Active: inactive (dead)
    [root@platinum ~]# systemctl disabl firewalld
    Unknown operation disabl.
    [root@platinum ~]# systemctl disable firewalld
    Unit /etc/systemd/system/firewalld.service is masked, ignoring.
    [root@platinum ~]#

    I believe i have CSF running as well:


    [root@platinum ~]# systemctl status csf
    ● csf.service - ConfigServer Firewall & Security - csf
       Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: disabled)
       Active: active (exited) since Thu 2024-08-29 07:28:00 +08; 1h 3min ago
     Main PID: 2202 (code=exited, status=0/SUCCESS)
        Tasks: 0 (limit: 100381)
       Memory: 0B
       CGroup: /system.slice/csf.service

    And...yes , i do have CSF running, could this be an issue ? 

     

    0
  • tom9909

    Hmm, no I have CSF running too and its working for me.

    Honestly the documentation could be improved with simplified steps for this setup....


    It may be time to open a support ticket so that they can investigate further as its gone a bit beyond me at this point :(

    0
  • cPRex Jurassic Moderator

    It's definitely time for a ticket on this issue.

    0
  • ANZEEQ

    Hi cPRex,

    Yeap i guess it is time, but was wondering if my cPanel lic allows me to raise a ticket as its license by my server provider , most probably would be raising the ticket soon when the next reboot / maintenance is scheduled.

    0
  • cPRex Jurassic Moderator

    If your license isn't purchased directly from us you would open that ticket with your provider, and then they would escalate to us if necessary.

    0

Please sign in to leave a comment.