Firewall - Import/Export IP List and Bulk Add
Would it be possible to add an import/export feature to the Firewall settings or at least provide a bulk add capability.
Adding IPs one at a time is very time consuming to say the least.
A simple solution would be to permit a comma separated list to go into the text field.
Starting with the 18.0.53 version, the ability to export and import a firewall rules configuration from a Plesk server to other Plesk servers -- AA
-
Nicola Rossi commented
**** I think i found a solution
i try and seems work so please can confirm me ? someone more experted than me!!!
I created a rule for cdn ip list with 2 enters on firewall... then exported via json the firewall rules and named file (original to have as backup)...then using a text editor like Notepad++ founded where the addresses are and simply put one by one comma separated... then imported again the modified file (json) and seems all rules are a their position loaded correctly
Possible so simple????
-
QuotesUK commented
Not true... you can import and export ALL rules but you can’t select which groups. And if you want to edit a group you have to go line by line, there is no bulk add feature at the group level.
For example, if I want to add a group of Cloudflare IPs to an allow list I have to either create a new group and add each IP one at a time; or export the JSON file of ALL rules, edit offline and then import which REPLACES ALL.
There is no practical method for managing a group of IPs
-
Hailie commented
Any news on this?
-
EhudZ commented
Note, this is possible via CLI, and also it's possible to control rules at the Plesk DB level via CLI.
-
EhudZ commented
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
and then apply and confirm only once at the end:
On first SSH:
/usr/local/psa/bin/modules/firewall/settings -a
On second SSH:
/usr/local/psa/bin/modules/firewall/settings -cwhois -h whois.radb.net -- '-i origin AS207459' | grep ^route
As per the root cause of rules application issue: the files I removed are created by rules activation script and should be removed at the end of the script
Other firewall rules activation process could be executed and stuck when you launched another one.
To avoid such issue, check if there any running firewall processes:# ps aux | grep [f]irewall-new.sh
Also, you may get lists of CIDR IPs for ISP via:
https://www.enjen.net/asn-blocklist/ -
EhudZ commented
well.. I was in touch with support referring to this idea here, and the Plesk dev team asked to get elaboration...
apparently not a lot of tolls for this important task.
The one I just added to my website seems to be for pages and the website itself. I'm looking for an easy toll to add also for SSHD level. I'm not sure CDN would do that..
-
QuotesUK commented
I think you have a good idea, just goes a bit further than a "simple" import/export capability
However I also note that this request is now 6 years old :(
If we can't get an import/export feature added in 6 years then a geo filter probably has no realistic chance of being looked at. Which is a shame.
-
EhudZ commented
I was asked to elaborate them here by Plesk dev team, which passed their request via Plesk support team.
-
QuotesUK commented
Ehudz, your comments for extended function are perfectly reasonable and valid. I would suggest you add them as a separate feature suggestion.
This topic is for a basic import/export capability
If the capability was available you could easily load such a list to your requirements
-
EhudZ commented
And here is a file:
Amazon AWS IP list -
EhudZ commented
I would like to add the list (as provided i n JSON file) of AWS used IPs so all of those are WhiteListed on the Plesk FireWall.
I'm also looking into ways to connect the Plesk firewall to tools geo-restricting ALL access to instance (including SSHD) for certain countries according to countries (could it be added to the Plesk FireWall). Have a look at these two links:
https://lonewolfonline.net/blocking-website-access-country-php/http://www.phptutorial.info/iptocountry/the_script.html
I have found an easy method for blocking a country, it only takes a few lines of code and has virtually no server load, so read on and I'll tell you.
It works like this:
Goto http://www.phptutorial.info/iptocountry/the_script.html for a look at "country identification without databases." Download the complete database (~540k) and extract it to a folder on your website. It will create a folder called 'ip_files'.
Next use this bit of PHP at the top of each of your pages. (Code provided on phptutorial.info)
if ($_SERVER['HTTP_X_FORWARDED_FOR'])
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
$ip = $_SERVER['REMOTE_ADDR'];$two_letter_country_code=iptocountry($ip);
function iptocountry($ip)
{
$numbers = preg_split( "/./", $ip);include("ip_files/".$numbers[0].".php");
$code=($numbers[0] * 16777216) + ($numbers[1] * 65536) + ($numbers[2] * 256) + ($numbers[3]);foreach($ranges as $key => $value)
{
if($key<=$code)
{
if($ranges[$key][0]>=$code)
{
$country=$ranges[$key][1];break;
}
}
}if ($country=="")
{
$country="unknown";
}return $country;
}
Then, add this little blocking script at the end of the code above:if ($two_letter_country_code=="US")
die();
You should replace US with the two letter country code for the country you are trying to block.I have taken this a bit further on mine, in that I check for a valid session, and if not found, run all the checks and create a session. This prevents the script from running every page load - just when a new visitor connects.
<?php
session_start();
if (!isset($_SESSION['FirstVisit']))
{
if ($two_letter_country_code=="US")
die();
else
$_SESSION['FirstVisit'] = 1;
}
?>p
Of course, this isn't a perfect solution and will only protect your PHP pages, but in an emergency?Note, you can find a full list of country codes listed in countries.php within ip_files folder of the zip file.
-
Kuzma commented
Implement functionality to add multiple IP addresses in one-line (separated by comma, for example) in Plesk Firewall UI.
Currently, this is only possible via a command-line interface.
-
Koert commented
Please add as soon as possible!
-
Larsen commented
-
Anonymous commented
Yes please, +1. I can't really use File2Ban until I have some easy to maintain IPs, added a description is also required.
-
Justin commented
YES. This needs to be implemented!!
-
Liew CheonFong commented
Really need this feature to blacklist/whitelist a list of ip addresses
-
Maarten Ligthart commented
I agree to this 100 procent! I would be really usefull if you could bulk add ip-addresses to the firewall!
-
SlimDeluxe commented
I'd like to import this list: http://www.ipdeny.com/ipblocks/
I want to block China, Viet Nam and other origins of attacks I get on FTP, SSH, WWW... servers. -
QuotesUK commented
My hosting provider is migrating me to a new server. They told me they cannot transfer my existing Firewall list of denied IPs.
So instead of being able to export the list of IPs and import them on the newly provisioned server I have to re-enter each one by hand.
Another scenario. Amazon Cloud publish a list of the IPs they use. They are often abused by spammers and bots which can attack hosted forums and CMS. You can pick up the list here... https://forums.aws.amazon.com/ann.jspa?annID=1701 ... until Pinterest came along I used to block all of their EC2 IPs and trouble just faded away. However I still block aggressive bots and unwanted probing from cloud hosting providers from RedStation, ahrefsbot, panopta, etc.
So, assuming I want to drop an existing list of denied IPs and replace with a fresh list, it would be really nice if I didn't have to do so line by line, by line, by line, by line... if you get my point.