EhudZ
My feedback
49 results found
-
47 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
— AY
EhudZ supported this idea ·
-
55 votes
Good news! Despite the low number of votes that this request got, from some additional reports Plesk understands that this is a critical function for some users. We do not have an ETA yet, but it will be worked on in the scope of upcoming feature enhancements.
An error occurred while saving the comment An error occurred while saving the comment EhudZ commented
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
/usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"
and then apply and confirm only once at the end:
On first SSH:
/usr/local/psa/bin/modules/firewall/settings -a
On second SSH:
/usr/local/psa/bin/modules/firewall/settings -cwhois -h whois.radb.net -- '-i origin AS207459' | grep ^route
As per the root cause of rules application issue: the files I removed are created by rules activation script and should be removed at the end of the script
Other firewall rules activation process could be executed and stuck when you launched another one.
To avoid such issue, check if there any running firewall processes:# ps aux | grep [f]irewall-new.sh
Also, you may get lists of CIDR IPs for ISP via:
https://www.enjen.net/asn-blocklist/EhudZ supported this idea ·
An error occurred while saving the comment EhudZ commented
well.. I was in touch with support referring to this idea here, and the Plesk dev team asked to get elaboration...
apparently not a lot of tolls for this important task.
The one I just added to my website seems to be for pages and the website itself. I'm looking for an easy toll to add also for SSHD level. I'm not sure CDN would do that..
An error occurred while saving the comment EhudZ commented
I was asked to elaborate them here by Plesk dev team, which passed their request via Plesk support team.
An error occurred while saving the comment EhudZ commented
And here is a file:
Amazon AWS IP listAn error occurred while saving the comment EhudZ commented
I would like to add the list (as provided i n JSON file) of AWS used IPs so all of those are WhiteListed on the Plesk FireWall.
I'm also looking into ways to connect the Plesk firewall to tools geo-restricting ALL access to instance (including SSHD) for certain countries according to countries (could it be added to the Plesk FireWall). Have a look at these two links:
https://lonewolfonline.net/blocking-website-access-country-php/http://www.phptutorial.info/iptocountry/the_script.html
I have found an easy method for blocking a country, it only takes a few lines of code and has virtually no server load, so read on and I'll tell you.
It works like this:
Goto http://www.phptutorial.info/iptocountry/the_script.html for a look at "country identification without databases." Download the complete database (~540k) and extract it to a folder on your website. It will create a folder called 'ip_files'.
Next use this bit of PHP at the top of each of your pages. (Code provided on phptutorial.info)
if ($_SERVER['HTTP_X_FORWARDED_FOR'])
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
$ip = $_SERVER['REMOTE_ADDR'];$two_letter_country_code=iptocountry($ip);
function iptocountry($ip)
{
$numbers = preg_split( "/./", $ip);include("ip_files/".$numbers[0].".php");
$code=($numbers[0] * 16777216) + ($numbers[1] * 65536) + ($numbers[2] * 256) + ($numbers[3]);foreach($ranges as $key => $value)
{
if($key<=$code)
{
if($ranges[$key][0]>=$code)
{
$country=$ranges[$key][1];break;
}
}
}if ($country=="")
{
$country="unknown";
}return $country;
}
Then, add this little blocking script at the end of the code above:if ($two_letter_country_code=="US")
die();
You should replace US with the two letter country code for the country you are trying to block.I have taken this a bit further on mine, in that I check for a valid session, and if not found, run all the checks and create a session. This prevents the script from running every page load - just when a new visitor connects.
<?php
session_start();
if (!isset($_SESSION['FirstVisit']))
{
if ($two_letter_country_code=="US")
die();
else
$_SESSION['FirstVisit'] = 1;
}
?>p
Of course, this isn't a perfect solution and will only protect your PHP pages, but in an emergency?Note, you can find a full list of country codes listed in countries.php within ip_files folder of the zip file.
-
714 votes
As an alternative option, you can configure GeoIP protection using nginx GeoIP module https://docs.plesk.com/en-US/obsidian/administrator-guide/website-management/websites-and-domains/extended-website-management/plesk-for-linux-setting-up-ip-geolocation-for-a-website.80011/
Please let us know what you think about it.
--AA
An error occurred while saving the comment EhudZ commented
Hi,
The Plesk FW suffers from a code that converts some IpV4 IPs to their IpV6 transformation, causing it to run for hours if placing lots of IPs in it. If it would not have that issue, you could easily block thousands of IP ranges without any performance issues... related to UPDATING the firewall with new content.
If you are looking to block only one country... this should be doable.
Blocking 5.10.0.0/16 which are all IPs after the prefix 5.10.* should be a piece of cake anyway.. however this is not all the IPs in that country (Russia?).
You may also use ModSecurity to block countries using their iso 2 letters country code.
You may look at the solution on the below Plesk support ticket, and also read my (not Plesk support) comments:
This is also in the attached file.
An error occurred while saving the comment EhudZ commented
And, it seems there is an additional way to do so on nginx:
An error occurred while saving the comment EhudZ commented
Updating CRS (i.e., COMODO) which is done a daily basis, moves the *.conf files to a backup and creates a NEW one, thus the Plesk GUI Custom directives should be used.
This is seen afterwards on the file:
/etc/apache2/plesk.conf.d/modsecurity.conf
SecDefaultAction \
"phase:1,deny,status:403,log,auditlog"
SecDefaultAction \
"phase:2,deny,status:403,log,auditlog"SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_name} (%{geo.country_code})',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}}'"
SecRule GEO:COUNTRY_CODE "@pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW ** KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"If you do NOT update CRS, you may use the guidance placed above. I recommend you read it all, as there are some important action recommendations in it.
An error occurred while saving the comment EhudZ commented
Such feature may be achieved using ModSecurity GeoIP module on Plesk.
Below is a full guidance:
ModSecurity Blocking Countries Guidance
1) Download the Geo2ip lite database:
# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
Or download some other DB files from:
GeoIP Legacy Databases
Or, a paid one from Maxmind.
Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.
Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.2) uncompress the file (Converted the zip *.gz file to a *.dat file):
# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz
3) Uploaded the COUNTRY file to:
# /usr/share/GeoIP/GeoLiteCountry.dat
4) Enable GeoIP in a file according to which ModSecurity Rule set is used:
For OWASP:
# vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.confun-commented the following line:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.datFor COMODO:
# vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.confAdd the below line at the end of the file:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat5) Manually Create a ModSecurity rule
Using OWASP:
# touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf
Using COMODO:
# touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.confPlace the rule in the just created file:
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm XX XX XX"
Note: "XX" are to be replaced with the actual country codes.
Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn'tCountry two charts ISO code list is available here:
ISO 3166-1 alpha-2 - Wikipedia
You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"
6) Test server configuration and fix before restart if needed:
# apachectl configtest
7) Restart the server, to make sure the new configuration takes place:
# systemctl restart apache2
8) Test the blocking happens.
You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location.
Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.
Then, check on the mobile Opera is set for Asia, on Google:“What is my IP?”
And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):
8.8.8.8 IP Address Details - IPInfo.io
Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:
2021-mm-dd 12:51:40 Error 77.111.245.12 403 GET / HTTP/1.0 5.00 K Apache SSL/TLS access
2021-mm-dd 12:51:40 Error 77.111.245.12 [client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"] Apache error
2021-mm-dd 12:51:40 Error 77.111.245.12 62778#0: *180 upstream prematurely closed connection while reading response header from upstream nginx error** See more recommendations in the attached PDF file **
An error occurred while saving the comment EhudZ commented
Issue is resolved. This task can be done with Plesk 'as-is'.
Attached is a full guidance, in a PDF file.
An error occurred while saving the comment EhudZ commented
Plesk, IMHO, it's about time... Security, is more and more important every day that passes.
EhudZ supported this idea ·
An error occurred while saving the comment EhudZ commented
True, Juggernaut does so, however for a heafty $100 a yaer. This task should nit cost that.
An error occurred while saving the comment EhudZ commented
Re BitNinja, please also note the heafty price it comes with... $300 a year, as a Plesk extension.
An error occurred while saving the comment EhudZ commented
Hi,
Would BitNinja remove the uage of the Plesk built-in FireWall IPTables and IPSet, as it requires their usage:
https://doc.bitninja.io/installation/ubuntu1004.htmlWhat does the non-pro version provide?
And, is the Plesk installation of the extension reversable exactly to pre-installation configuration
(for example Plesk FireWall manual rules)?An error occurred while saving the comment EhudZ commented
spams comes from all over, not only from 64K IPs...
An error occurred while saving the comment EhudZ commented
All of these deny country tools, are REALLY EASY to build. Their code is like 200 lines, and they use free real-time updating DB of IP associated to countries.
This should be a built-in Plesk tool, and no need for a monthly payment for it. It's worth 5 USD a year, not 5 USD a month... -
2 votes
-
18 votes
Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IGEhudZ supported this idea ·
-
3 votes
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
--
IG
EhudZ supported this idea ·
-
543 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IGAn error occurred while saving the comment EhudZ commented
Plesk can not take years to implement the latest server services.
EhudZ supported this idea ·
-
297 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.— rk
An error occurred while saving the comment EhudZ commented
Using Plesk, should not restrict users to use OLD services, but keep users liberated to uses state of the art server services.
EhudZ supported this idea ·
-
17 votes
An error occurred while saving the comment EhudZ commented
Very important.
EhudZ supported this idea ·
-
7 votes
Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IGAn error occurred while saving the comment EhudZ commented
Any news?
EhudZ supported this idea ·
-
1,177 votes
An error occurred while saving the comment EhudZ commented
Hi,
I'm a user and not of Plesk support.
CalmAV is to the best of my understanding enabled on Plesk for Plesk hosted mail protection:
https://www.plesk.com/blog/guides/how-to-protect-email-servers-against-spam-viruses/I have implemented CalmAV manually to scan uploaded files, using ModSecurity as base technology.
inspectFile
Description: Executes an external program for every variable in the target list. The contents of the variable is provided to the script as the first parameter on the command line. The program must be specified as the first parameter to the operator. As of version 2.5.0, if the supplied program filename is not absolute, it is treated as relative to the directory in which the configuration file resides. Also as of version 2.5.0, if the filename is determined to be a Lua script (based on its .lua extension), the script will be processed by the internal Lua engine. Internally processed scripts will often run faster (there is no process creation overhead) and have full access to the transaction context of ModSecurity.The @inspectFile operator was initially designed for file inspection (hence the name), but it can also be used in any situation that requires decision making using external logic.
The OWASP ModSecurity Core Rule Set (CRS) includes a utility script in the /util directory called runav.pl ModSecurity that allows the file approval mechanism to integrate with the ClamAV virus scanner. This is especially handy to prevent viruses and exploits from entering the web server through file upload.
#!/usr/bin/perl
#
# runav.pl
# Copyright (c) 2004-2011 Trustwave
#
# This script is an interface between ModSecurity and its
# ability to intercept files being uploaded through the
# web server, and ClamAV$CLAMSCAN = "clamscan";
if ($#ARGV != 0) {
print "Usage: runav.pl <filename>\n";
exit;
}my ($FILE) = shift @ARGV;
$cmd = "$CLAMSCAN --stdout --no-summary $FILE";
$input = `$cmd`;
$input =~ m/^(.+)/;
$error_message = $1;$output = "0 Unable to parse clamscan output [$1]";
if ($error_message =~ m/: Empty file\.?$/) {
$output = "1 empty file";
}
elsif ($error_message =~ m/: (.+) ERROR$/) {
$output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: (.+) FOUND$/) {
$output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: OK$/) {
$output = "1 clamscan: OK";
}print "$output\n";
Example: Using the runav.pl script:
# Execute external program to validate uploaded files
SecRule FILES_TMPNAMES "@inspectFile /path/to/util/runav.pl" "id:159"
Example of using Lua script (placed in the same directory as the configuration file):SecRule FILES_TMPNAMES "@inspectFile inspect.lua" "id:160"
The contents of inspect.lua:function main(filename)
-- Do something to the file to verify it. In this example, we
-- read up to 10 characters from the beginning of the file.
local f = io.open(filename, "rb");
local d = f:read(10);
f:close();-- Return null if there is no reason to believe there is ansything
-- wrong with the file (no match). Returning any text will be taken
-- to mean a match should be trigerred.
return null;
end
Note : Starting in version 2.9 ModSecurity will not fill the FILES_TMPNAMES variable unless SecTmpSaveUploadedFiles directive is On, or the SecUploadKeepFiles directive is set to RelevantOnly.
Note: Use @inspectFile with caution. It may not be safe to use @inspectFile with variables other than FILES_TMPNAMES. Other variables such as "FULL_REQUEST" may contains content that force your platform to fork process out of your control, making possible to an attacker to execute code using the same permissions of your web server. For other variables you may want to look at the Lua script engine. This observation was brought to our attention by "Gryzli", on our users mailing list.
Version: 2.xSupported on libModSecurity: TBI
file upload modsecurity protection
I have installed ClamAV according to instruction
I have set the script in place.
The script is called by a new rule added via Plesk manual rules:
SecRule FILES_TMPNAMES "@inspectFile /etc/apache2/modsecurity.d/modsec_clamav.pl" \
"id:'99999932471', \
phase:2, \
t:none, \
deny, \
log, \
msg:'Infected File upload detected', \
tag:'MALICIOUS_SOFTWARE/VIRUS'"
tested syntax and restarted Apache servercould not test file upload as those were not IMAGE or PDF
Script has to get execution permissions
An error occurred while saving the comment EhudZ commented
It's very important.
EhudZ supported this idea ·
-
1 vote
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
--
IG
-
37 votes
Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IGEhudZ supported this idea ·
-
137 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
ETAn error occurred while saving the comment EhudZ commented
The is possible:
fail2ban-client -vvv set httpd-forbidden banip 54.214.128.0/17
Or via:
fail2ban-client set your-jail-name banip 192.0.2.1
fail2ban-client set your-jail-name unbanip 192.0.2.1An error occurred while saving the comment EhudZ commented
IMHO, the Plesk FireWall is the place for such IP...
-
31 votes
We will consider this functionality in upcoming releases if it will be popular. However, in part of integration with 3rd party, probably it will be faster if you create Plesk extension. Please refer to https://docs.plesk.com/en-US/17.0/extensions-guide/what-are-plesk-extensions%3F.76331/ to know how.
Everyone, please continue voting for this feature if you consider it important.
—
ETAn error occurred while saving the comment EhudZ commented
This is possible.
Have a look at:
https://talk.plesk.com/threads/abuseipdb-with-fail2ban.348869/ -
1 vote
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
--
IG
-
8 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IGAn error occurred while saving the comment EhudZ commented
Hi,
If you would like to get an email notification for ModSecurity, you can do so, by setting a Fail2Ban jail for ModSecurity, and then get the email notifications.
So in Fail2Ban, what worked for me was adding second line under action =....
to be:
```
sendmail[mailcmd='/usr/sbin/sendmail -f "<sender>" "<dest>"', dest="email@recipient.com", sender="fail2ban", sendername="Fail2Ban", name="jail_name"]
```Note: You may do so for various jails.
EhudZ supported this idea ·
-
1 vote
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
--
IG
-
1 vote
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
--
IG
-
8 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
— AY
An error occurred while saving the comment EhudZ commented
I have noted Plesk Toolkit SYNC possibly seem to damage file permission, so the need is for Plesk component, to identify what process changed file permission.
EhudZ supported this idea ·
Note, this is possible via CLI, and also it's possible to control rules at the Plesk DB level via CLI.