Skip to content

EhudZ

My feedback

49 results found

  1. 102 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    A bigger threat could possibly be, if Plesk update is hacked, and Plesk firewall is changed. I recommend using also the AWS firewall to block access to certain ports as 22, 8443,8447, to all IPs but certain fixed ones.

    An error occurred while saving the comment
    EhudZ commented  · 

    You may have port 8443 opened only to certain fixed IPs, done on the AWS hosting level which is not accessible via Plesk or server SSH access.

    EhudZ supported this idea  · 
  2. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    This is what OpenAI has to say about this issue:

    To oversign the From, To, and CC headers in DKIM for outgoing emails in Postfix, you can make use of the OpenDKIM milter integration. Here's a general outline of the steps involved:

    Install OpenDKIM: Begin by installing the OpenDKIM package on your Postfix server. The installation steps can vary depending on your operating system. For example, on Ubuntu, you can use the following command:

    shell
    Copy code
    sudo apt-get install opendkim opendkim-tools
    Generate DKIM Key: Generate a DKIM key pair using the opendkim-genkey tool. Replace example.com with your domain name:

    shell
    Copy code
    opendkim-genkey -b 2048 -d example.com -s selector1
    This will create two files: selector1.private (private key) and selector1.txt (DNS record).

    Configure OpenDKIM: Open the OpenDKIM configuration file (/etc/opendkim.conf) and make the following changes:

    vbnet
    Copy code
    Domain example.com
    KeyFile /etc/opendkim/selector1.private
    Selector selector1
    OversignHeaders From,To,Cc
    Adjust the paths and selectors as per your key and configuration.

    Configure Postfix: Edit the Postfix configuration file (/etc/postfix/main.cf) and add or modify the following lines:

    makefile
    Copy code
    milter_default_action = accept
    milter_protocol = 2
    smtpd_milters = inet:localhost:8891
    non_smtpd_milters = inet:localhost:8891
    These lines instruct Postfix to use the OpenDKIM milter on localhost port 8891.

    Restart Services: Restart both Postfix and OpenDKIM to apply the changes:

    shell
    Copy code
    sudo systemctl restart postfix
    sudo systemctl restart opendkim
    With these steps completed, Postfix will send outgoing emails to the OpenDKIM milter for DKIM signing. The OversignHeaders directive in the OpenDKIM configuration will ensure that the From, To, and CC headers are included in the DKIM signature, even if they are not present in the original message.

    Make sure to test your setup and monitor the mail logs for any errors or issues. Adjust the configuration as needed for your specific environment and requirements.

    EhudZ shared this idea  · 
  3. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    EhudZ shared this idea  · 
  4. 23 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    EhudZ supported this idea  · 
  5. 24 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    I consider this as a PLESK BUG, as the absence of DKIM, causes a strict DMARC policy to fail.

    EhudZ supported this idea  · 
  6. 29 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    Plesk server notifications are sent without a DKIM signature, even if the Plesk domain is configured to be a mail server, and even if DKIM is configured for it.

    This is done, at the same time Fail2Ban or server PHPMailers emails sent via Amazon webmail /SMTP get signed.

    The absence of DKIM signature, is considered by me as a Plesk BUG, as it not being on some emails, harms the user, preventing implementation of a strict DMARC policy, due to the absence of DKIM on some emails sent to outside servers.

    An error occurred while saving the comment
    EhudZ commented  · 

    I find the as a Plesk BUG.

    EhudZ supported this idea  · 
  7. 4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    This should have been done automatically...
    As the mail is configured for it, and its only mail server that fails.

    EhudZ supported this idea  · 
  8. 67 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    EhudZ supported this idea  · 
  9. 62 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    Good news! Despite the low number of votes that this request got, from some additional reports Plesk understands that this is a critical function for some users. We do not have an ETA yet, but it will be worked on in the scope of upcoming feature enhancements.

    An error occurred while saving the comment
    EhudZ commented  · 

    Note, this is possible via CLI, and also it's possible to control rules at the Plesk DB level via CLI.

    An error occurred while saving the comment
    EhudZ commented  · 

    /usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"

    /usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"

    /usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"

    /usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"

    /usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"

    /usr/local/psa/bin/modules/firewall/settings -s -name 'Block NAME' -direction input -action deny -ports '' -remote-addresses "LIST"

    and then apply and confirm only once at the end:
    On first SSH:
    /usr/local/psa/bin/modules/firewall/settings -a
    On second SSH:
    /usr/local/psa/bin/modules/firewall/settings -c

    whois -h whois.radb.net -- '-i origin AS207459' | grep ^route

    As per the root cause of rules application issue: the files I removed are created by rules activation script and should be removed at the end of the script
    Other firewall rules activation process could be executed and stuck when you launched another one.
    To avoid such issue, check if there any running firewall processes:

    # ps aux | grep [f]irewall-new.sh

    Also, you may get lists of CIDR IPs for ISP via:
    https://www.enjen.net/asn-blocklist/

    EhudZ supported this idea  · 
    An error occurred while saving the comment
    EhudZ commented  · 

    well.. I was in touch with support referring to this idea here, and the Plesk dev team asked to get elaboration...

    apparently not a lot of tolls for this important task.

    The one I just added to my website seems to be for pages and the website itself. I'm looking for an easy toll to add also for SSHD level. I'm not sure CDN would do that..

    An error occurred while saving the comment
    EhudZ commented  · 

    I was asked to elaborate them here by Plesk dev team, which passed their request via Plesk support team.

    An error occurred while saving the comment
    EhudZ commented  · 

    And here is a file:
    Amazon AWS IP list

    An error occurred while saving the comment
    EhudZ commented  · 

    I would like to add the list (as provided i n JSON file) of AWS used IPs so all of those are WhiteListed on the Plesk FireWall.

    I'm also looking into ways to connect the Plesk firewall to tools geo-restricting ALL access to instance (including SSHD) for certain countries according to countries (could it be added to the Plesk FireWall). Have a look at these two links:
    https://lonewolfonline.net/blocking-website-access-country-php/

    http://www.phptutorial.info/iptocountry/the_script.html

    I have found an easy method for blocking a country, it only takes a few lines of code and has virtually no server load, so read on and I'll tell you.

    It works like this:

    Goto http://www.phptutorial.info/iptocountry/the_script.html for a look at "country identification without databases." Download the complete database (~540k) and extract it to a folder on your website. It will create a folder called 'ip_files'.

    Next use this bit of PHP at the top of each of your pages. (Code provided on phptutorial.info)

    if ($_SERVER['HTTP_X_FORWARDED_FOR'])
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    else
    $ip = $_SERVER['REMOTE_ADDR'];

    $two_letter_country_code=iptocountry($ip);

    function iptocountry($ip)
    {
    $numbers = preg_split( "/./", $ip);

    include("ip_files/".$numbers[0].".php");
    $code=($numbers[0] * 16777216) + ($numbers[1] * 65536) + ($numbers[2] * 256) + ($numbers[3]);

    foreach($ranges as $key => $value)
    {
    if($key<=$code)
    {
    if($ranges[$key][0]>=$code)
    {
    $country=$ranges[$key][1];break;
    }
    }
    }

    if ($country=="")
    {
    $country="unknown";
    }

    return $country;
    }
    Then, add this little blocking script at the end of the code above:

    if ($two_letter_country_code=="US")
    die();
    You should replace US with the two letter country code for the country you are trying to block.

    I have taken this a bit further on mine, in that I check for a valid session, and if not found, run all the checks and create a session. This prevents the script from running every page load - just when a new visitor connects.

    <?php
    session_start();
    if (!isset($_SESSION['FirstVisit']))
    {
    if ($two_letter_country_code=="US")
    die();
    else
    $_SESSION['FirstVisit'] = 1;
    }
    ?>p
    Of course, this isn't a perfect solution and will only protect your PHP pages, but in an emergency?

    Note, you can find a full list of country codes listed in countries.php within ip_files folder of the zip file.

  10. 2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  11. 34 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We will consider this functionality in upcoming releases if it is  popular. Everyone, please continue voting for this feature if you consider it important.

    However, please be aware that rate-limiting web traffic can and should normally be done using iptables as it is much more effective and resource savvy doing it on the operating system/kernel level. If there are issues with web traffic, it is best to not to let it get to the web server in the first place.

    -- PD

    EhudZ supported this idea  · 
  12. 3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    EhudZ supported this idea  · 
  13. 17 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    Very important.

    EhudZ supported this idea  · 
  14. 7 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    Any news?

    EhudZ supported this idea  · 
  15. 1,283 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    Hi,

    I'm a user and not of Plesk support.

    CalmAV is to the best of my understanding enabled on Plesk for Plesk hosted mail protection:
    https://www.plesk.com/blog/guides/how-to-protect-email-servers-against-spam-viruses/

    I have implemented CalmAV manually to scan uploaded files, using ModSecurity as base technology.

    inspectFile
    Description: Executes an external program for every variable in the target list. The contents of the variable is provided to the script as the first parameter on the command line. The program must be specified as the first parameter to the operator. As of version 2.5.0, if the supplied program filename is not absolute, it is treated as relative to the directory in which the configuration file resides. Also as of version 2.5.0, if the filename is determined to be a Lua script (based on its .lua extension), the script will be processed by the internal Lua engine. Internally processed scripts will often run faster (there is no process creation overhead) and have full access to the transaction context of ModSecurity.

    The @inspectFile operator was initially designed for file inspection (hence the name), but it can also be used in any situation that requires decision making using external logic.

    The OWASP ModSecurity Core Rule Set (CRS) includes a utility script in the /util directory called runav.pl ModSecurity that allows the file approval mechanism to integrate with the ClamAV virus scanner. This is especially handy to prevent viruses and exploits from entering the web server through file upload.

    #!/usr/bin/perl
    #
    # runav.pl
    # Copyright (c) 2004-2011 Trustwave
    #
    # This script is an interface between ModSecurity and its
    # ability to intercept files being uploaded through the
    # web server, and ClamAV

    $CLAMSCAN = "clamscan";

    if ($#ARGV != 0) {
    print "Usage: runav.pl <filename>\n";
    exit;
    }

    my ($FILE) = shift @ARGV;

    $cmd = "$CLAMSCAN --stdout --no-summary $FILE";
    $input = `$cmd`;
    $input =~ m/^(.+)/;
    $error_message = $1;

    $output = "0 Unable to parse clamscan output [$1]";

    if ($error_message =~ m/: Empty file\.?$/) {
    $output = "1 empty file";
    }
    elsif ($error_message =~ m/: (.+) ERROR$/) {
    $output = "0 clamscan: $1";
    }
    elsif ($error_message =~ m/: (.+) FOUND$/) {
    $output = "0 clamscan: $1";
    }
    elsif ($error_message =~ m/: OK$/) {
    $output = "1 clamscan: OK";
    }

    print "$output\n";

    Example: Using the runav.pl script:

    # Execute external program to validate uploaded files
    SecRule FILES_TMPNAMES "@inspectFile /path/to/util/runav.pl" "id:159"
    Example of using Lua script (placed in the same directory as the configuration file):

    SecRule FILES_TMPNAMES "@inspectFile inspect.lua" "id:160"
    The contents of inspect.lua:

    function main(filename)
    -- Do something to the file to verify it. In this example, we
    -- read up to 10 characters from the beginning of the file.
    local f = io.open(filename, "rb");
    local d = f:read(10);
    f:close();

    -- Return null if there is no reason to believe there is ansything
    -- wrong with the file (no match). Returning any text will be taken
    -- to mean a match should be trigerred.
    return null;
    end
    Note : Starting in version 2.9 ModSecurity will not fill the FILES_TMPNAMES variable unless SecTmpSaveUploadedFiles directive is On, or the SecUploadKeepFiles directive is set to RelevantOnly.
    Note: Use @inspectFile with caution. It may not be safe to use @inspectFile with variables other than FILES_TMPNAMES. Other variables such as "FULL_REQUEST" may contains content that force your platform to fork process out of your control, making possible to an attacker to execute code using the same permissions of your web server. For other variables you may want to look at the Lua script engine. This observation was brought to our attention by "Gryzli", on our users mailing list.
    Version: 2.x

    Supported on libModSecurity: TBI

    Reference: http://blog.spiderlabs.com/2010/10/advanced-topic-of-the-week-preventing-malicious-pdf-file-uploads.html

    file upload modsecurity protection

    I have installed ClamAV according to instruction

    I have set the script in place.

    The script is called by a new rule added via Plesk manual rules:

    SecRule FILES_TMPNAMES "@inspectFile /etc/apache2/modsecurity.d/modsec_clamav.pl" \
    "id:'99999932471', \
    phase:2, \
    t:none, \
    deny, \
    log, \
    msg:'Infected File upload detected', \
    tag:'MALICIOUS_SOFTWARE/VIRUS'"
    tested syntax and restarted Apache server

    could not test file upload as those were not IMAGE or PDF

    Script has to get execution permissions

    An error occurred while saving the comment
    EhudZ commented  · 

    It's very important.

    EhudZ supported this idea  · 
  16. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
  17. 46 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    open discussion  ·  IgorG responded

    Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.

    IG

    EhudZ supported this idea  · 
  18. 151 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 

    The is possible:

    fail2ban-client -vvv set httpd-forbidden banip 54.214.128.0/17

    Or via:
    fail2ban-client set your-jail-name banip 192.0.2.1
    fail2ban-client set your-jail-name unbanip 192.0.2.1

    An error occurred while saving the comment
    EhudZ commented  · 

    IMHO, the Plesk FireWall is the place for such IP...

  19. 35 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    An error occurred while saving the comment
    EhudZ commented  · 
  20. 1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
← Previous 1 3

Feedback and Knowledge Base