Skip to main content

Hostaccess control suddenly empty

Comments

18 comments

  • cPRex Jurassic Moderator

    Hey there!  Unfortunately (or, maybe fortunately) I haven't heard of this area just getting wiped in the past, and I don't see any similar reports when I checked our ticket system just now.

    The only place I could think of to check would be /var/log/secure as that would show any SSH logins to the machine.

    1
  • ITHKBO

    Hello cPRex,

    I share the fortunately in this case, and hope it stays an anomaly.
    We checked the /var/log/secure and additional logs, and we are not seeing anything strange besides lots of wp-toolkit activity.

    Which we do not even use at all, but fortunately it is nothing related to this. I have since then removed wp-toolkit completely because having logs filled with pointless log rotate messages is not helping to audit stuff.

    Thank you for the quick response, and I hope this topic can start to gather dust then.

    0
  • cPRex Jurassic Moderator

    Sounds good - let me know if you do end up finding anything else!

    0
  • ITHKBO

    Unfortunately, the issue came back after a restart of the system.
    This time, however, we were able to find some more details.

    It seems for unknown reason the /etc/sysconfig/nftables.conf had malformed data as in 4 lines of
    Warning: Extension owner is not supported, missing kernel module?
    Warning: Extension owner is not supported, missing kernel module?
    Warning: Extension owner is not supported, missing kernel module?
    Warning: Extension owner is not supported, missing kernel module?

    Removed those than did a service nftables restart  
    nftables seems to be running again, though I still have to verify if it saves the records correctly.
    I have a suspicion that by having this malformed, it automatically drops the hostacces controls added by the GUI. I have no idea how an error message is able to be added to a conf file. Furthermore, I have never seen this behavior in more than twenty years.

    I am seeing that I am not the first one suffering from this, although this is Almalinux 9. Our situation is CloudLinux v8.10.0: https://support.cpanel.net/hc/en-us/community/posts/21480665266327-Installa-new-Cpanel-on-Almalinux-9-nftables-error

    However, kcare seems to be functioning as grep -i kcare /var/log/messages shows entries and the security advisor says kcare 4.18.0-553.5.1.lve.1.el8, so I have no idea either what missing kernel module it is even rambling about.

    I will reboot the server tonight after adding the rules back again and see if it stays this time.
    Either case, I am scratching my head at this configurations malformation.

    0
  • cPRex Jurassic Moderator

    I'm not sure what would be happening here, but at least it doesn't sound like it's related to cPanel, so there's some good news.

     

    0
  • rinkleton

    I just noticed something similar.  I was setting up a new server and had made some entries in host access control.  I did a restart and the entries in host access control are gone.  I took those steps again and it happens again reliably.  I do notice that the services continue to work from the hosts in question even if they aren't listed (such as SSH).  I'm not sure if that's because something else is allowing them. 

    0
  • cPRex Jurassic Moderator

    rinkleton - if you have a way to reproduce this, can you open a ticket so we can take a look?

    0
  • rinkleton

    I usually have issues with that since we get our servers through LiquidWeb.  What's the best way to coordinate that?

    0
  • cPRex Jurassic Moderator

    You'd just contact their team and they would escalate to us if necessary.  So far we haven't been able to reproduce this on our end.

    0
  • rinkleton

    LiquidWeb seems to indicate that is happening because CloudLinux 8 does not support Host Access Control.  This seems to contradict you're documentation (link below).  Can you confirm this?

    https://docs.cpanel.net/whm/security-center/host-access-control/

    0
  • cPRex Jurassic Moderator

    Host Access Control is still supported, it's just handled differently in version 8 by the operating system than it was in previous versions, so the interface also looks a bit different than you may remember. 

    0
  • rinkleton

    Yeah I noticed it looked different and you specify the port rather than the service... that's all fine.  But you're saying entries added there should take effect and would not be erased on a reboot when using the current version of WHM and CloudLinux 8?

    0
  • cPRex Jurassic Moderator

    Correct - nothing there should be getting automatically removed.

    0
  • rinkleton

    LiquidWeb did point me to this article https://support.cpanel.net/hc/en-us/articles/4482286014999-Host-Access-Control-doesn-t-work-when-using-another-firewall

    That explains why the rules aren't working, and maybe that's why they are being erased on reboot?   But either way, there are a few places in the documentation this should probably be noted.  It would also be nice to have a note on the Host Access Control page in WHM that says that these rules won't have an effect if there is another firewall present on certain OSes, and list those affected.

    0
  • cPRex Jurassic Moderator

    Were you using another firewall tool on the system?  But yes, I think we should have something about this on the main docs page at https://docs.cpanel.net/whm/security-center/host-access-control/.  I've reached out to the documentation team about this so they can get that updated!

    0
  • rinkleton

    Yeah the server was using CSF.   Thanks for your help. 

    0
  • cPRex Jurassic Moderator

    Good to know - we'll update that docs page with more details soon!

    0
  • ITHKBO

    Just wanted to acknowledge we also use CSF before closing.
    So that atleast explains it on paper and I guess it is time to retire host access control for us.

    Thank you both for the additional supplied information we are going to update our internal documentation.

     

    0

Please sign in to leave a comment.