EhudZ
My feedback
47 results found
-
1 vote
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
--
IG
-
10 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
— AY
An error occurred while saving the comment EhudZ
supported this idea
·
-
3 votes
-
3 votes
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
--
IG
-
1 vote
-
6 votes
Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IGEhudZ
supported this idea
·
-
11 votes
Since Plesk 18.0.46 Nginx is shipped with GeoIP module. Please see https://docs.plesk.com/en-US/obsidian/administrator-guide/website-management/websites-and-domains/extended-website-management/plesk-for-linux-setting-up-ip-geolocation-for-a-website.80011/
While this feature request is asking for an Apache module, we are wondering whether this is still needed as the same goals can be achieved with Nginx GeoIP in a much better way with less server resources.
Please comment in this feature request why you still need the Apache GeoIP module.
-- PD
An error occurred while saving the comment EhudZ
commented
1) Download the Geo2ip lite database:
# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
Or download some other DB files from:
GeoIP Legacy Databases
Or, a paid one from Maxmind.
Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.
Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.2) uncompress the file (Converted the zip *.gz file to a *.dat file):
# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz
3) Uploaded the COUNTRY file to:
# /usr/share/GeoIP/GeoLiteCountry.dat
An error occurred while saving the comment EhudZ
commented
Such feature may be achieved using ModSecurity GeoIP module on Plesk.
Below is a full guidance:
ModSecurity Blocking Countries Guidance
1) Download the Geo2ip lite database:
# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
Or download some other DB files from:
GeoIP Legacy Databases
Or, a paid one from Maxmind.
Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.
Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.2) uncompress the file (Converted the zip *.gz file to a *.dat file):
# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz
3) Uploaded the COUNTRY file to:
# /usr/share/GeoIP/GeoLiteCountry.dat
4) Enable GeoIP in a file according to which ModSecurity Rule set is used:
For OWASP:
# vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.confun-commented the following line:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat5) Manually Create a ModSecurity rule
Using OWASP:
# touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf
Using COMODO:
# touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.confPlace the rule in the just created file:
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm XX XX XX"
Note: "XX" are to be replaced with the actual country codes.
Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn'tCountry two charts ISO code list is available here:
ISO 3166-1 alpha-2 - Wikipedia
You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"
6) Test server configuration and fix before restart if needed:
# apachectl configtest
7) Restart the server, to make sure the new configuration takes place:
# systemctl restart apache2
8) Test the blocking happens.
You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location.
Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.
Then, check on the mobile Opera is set for Asia, on Google:“What is my IP?”
And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):
8.8.8.8 IP Address Details - IPInfo.io
Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:
2021-mm-dd 12:51:40 Error 77.111.245.12 403 GET / HTTP/1.0 5.00 K Apache SSL/TLS access
2021-mm-dd 12:51:40 Error 77.111.245.12 [client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"] Apache error
2021-mm-dd 12:51:40 Error 77.111.245.12 62778#0: *180 upstream prematurely closed connection while reading response header from upstream nginx error** See more recommendations in the attached PDF file **
-
2 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular. Everyone, please continue voting for this feature if you consider it important.
—
IGAn error occurred while saving the comment EhudZ
commented
For Comodo it should be changed on:
# vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.conf
SecDefaultAction \
"phase:1,log,auditlog,deny,status:403"
SecDefaultAction \
"phase:2,log,auditlog,deny,status:403"An error occurred while saving the comment EhudZ
commented
Plesk ModSecurity required a revision...
You click "On" but you are actually mainly on Warning mode... as scores prefined do not bring to 403 error lots of the times...
You better manually fix this to:
the following parameters are specified in /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf
They IMHO should be commented out:
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"while they should be:
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"**There was no RESTART is required**
# plesk sbin modsecurity_ctl --disable
# plesk sbin modsecurity_ctl --enable
# service httpd restartEhudZ
supported this idea
·
-
1 vote
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IG -
2 votes
Thank you for your input! We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IG -
27 votes
-
15 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
ETAn error occurred while saving the comment EhudZ
commented
The Plesk FireWall using IPTABLES has issues with memory, which as I understand, IPSET does not suffer from. The option to use IPSET Plesk FireWall is welcomed!
EhudZ
supported this idea
·
-
22 votesEhudZ
supported this idea
·
-
110 votes
-
9 votes
This is a valid request. Please keep voting on this if you believe it is an important feature.
-- PD
An error occurred while saving the comment EhudZ
commented
You may use Google Authenticator MFA
Note, it is bypassed on mobile Plesk...
You may also use fixed IPs and allow Plesk pannel and ports 8443 and 8447 (via hosting server as AWS light Sail and also Plesk FW) be accessed ONLY from the fixed IPs you preauthorized.
EhudZ
supported this idea
·
-
4 votes
This makes sense, we’ll look into that.
—AK
An error occurred while saving the comment EhudZ
commented
Have a look for example at the WPML plugin which has in wp_options the field:
wpml_language_switcher_template_objectsThis SYNCED leads to mixture of environments as
staging.example.com
and
example.comEhudZ
supported this idea
·
-
6 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
—
IGEhudZ
supported this idea
·
-
9 votes
Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IGAn error occurred while saving the comment EhudZ
commented
Please note, those that use this MFA might think they have its protection, while the Plesk mobile app might serve as kind of a "back door". Meaning, they might be considered as mislead to believe they are protected by MFA, while in fact, this might not be the case.
EhudZ
supported this idea
·
-
2 votes
Thank you for your input. We will consider this functionality in upcoming releases if it is popular. Everyone, please continue voting for this feature if you consider it important.
—
IGEhudZ
supported this idea
·
-
49 votes
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.—
IGAn error occurred while saving the comment EhudZ
commented
Hi Bob,
It's much more complicated...
Plesk fire wall collapses when using direct Iptables blocking for cide ip of vountries
Also each Plesk fire wall rule is limited to a few hundred ips (cidr ranges), and also bring to the entire Plesk to collapse, if superseded.EhudZ
supported this idea
·
An error occurred while saving the comment EhudZ
commented
Still waiting
I have noted Plesk Toolkit SYNC possibly seem to damage file permission, so the need is for Plesk component, to identify what process changed file permission.