Host Access Control sshd All deny blocking both sshd and imap in WHM 108.x

Mark Fischer

• February 09, 2023 15:13

After updating to WHM 108 I was no longer able to access imap email from IP addresses not specifically set to be ignored in the firewall. After much investigation I discovered that Host Access Control has changed in how it handles sshd connections. On WHM 106 a "sshd ALL deny" command only blocked connections to sshd. On WHM 108 the same command also blocks imap connections. To resolve the issue I added a "imap ALL allow" command before the "sshd ALL deny" command. Now I can check email from ip addresses not specifically listed in Host Access Control or in the ConfigServer Firewall.

• 

  cPRex Jurassic Moderator

  • February 09, 2023 20:32

  Hey there! That's odd - let me test this and I'll let you know what I find!

  0
• 

  cPRex Jurassic Moderator

  • February 09, 2023 20:40

  Actually, before I do that, can you let me know your operating system? It sounds like you may be on CentOS 7, but I'd just like to confirm that before I do my testing.

  0
• 

  Mark Fischer

  • February 10, 2023 13:52

  I am on CentOS 7

  0
• 

  cPRex Jurassic Moderator

  • February 10, 2023 17:12

  Thanks for that clarification. I wasn't able to reproduce this behavior on a test machine. I setup a CentOS 7 server using cPanel 108, configured SSH to be blocked completely, and I was still able to send a message using IMAP to both ports 143 and 993. Do you possibly have another rule that could be interfering with the IMAP delivery?

  0
• 

  Mark Fischer

  • February 10, 2023 19:23

  I will take a closer look at our current rules but when I remove the rule "sshd ALL deny" from Host Access Control I can check email from ip addresses not specifically listed in Host Access Control or in the ConfigServer Firewall. When it is added back email is blocked until the rule "smtp ALL allow" is added before the "sshd ALL deny" rule.

  0
• 

  cPRex Jurassic Moderator

  • February 10, 2023 19:24

  It might be worth temporarily disabling CSF to see if that changes the behavior as well.

  0
• 

  Mark Fischer

  • February 10, 2023 19:42

  When you say "send a message" do you mean check messages via IMAP or send a message via SMTP? What I am experiencing is blocking of checking mail via IMAP not sending mail via SMTP.

  0
• 

  Mark Fischer

  • February 10, 2023 19:47

  You are correct. When CSF is disabled I can check email without the "imap ALL allow" rule. When CSF is enabled, I can not. I will take it up with their support.

  0
• 

  cPRex Jurassic Moderator

  • February 10, 2023 20:03

  I'm glad it was that! Just to clarify, I was sending and checking - trying to test as much as I could on my end from all angles.

  0

Please sign in to leave a comment.