• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Plesk Firewalll specifies wrong port for SSH-firewalll rule

Kurt Ludikovsky

Basic Pleskian
Username:

TITLE

Plesk Firewalll specifies wrong port for SSH-firewalll rule

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Version 18.0.50 Update #1, zuletzt aktualisiert: 9. Febr. 2023 06:26:32
LINUX
Debian 11.6

PROBLEM DESCRIPTION

Plesk firewall generates iptables rules for port 25 instead port 22 when one specifies a rule for SSH.
This not only has a consequence not effect on port 22 but also denies any mails servers to connect to the server.

STEPS TO REPRODUCE

1) Enter IP-adresses to the
rule-allow.png
SSH-Server (Secure-Shell-Server) rule
2) Check the generated iptables output with iptables -L INPUT

ACTUAL RESULT

Generated rules block port 25 for the specified IP
No effect on port 22 blocking

EXPECTED RESULT

inhibit port 22 access
No action on port 25

ANY ADDITIONAL INFORMATION

I can provide two images demonstrating the effect.

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Help with sorting out
 
Attached are two files which shows the FW-rules and the resulting iptables rules.
 

Attachments

  • Firewall Settings.jpg
    Firewall Settings.jpg
    124.2 KB · Views: 13
  • Generated iptables rules.jpg
    Generated iptables rules.jpg
    166 KB · Views: 13
I am unable to replicate the issue on a fresh Ubuntu 22.04 server. Are you able to replicate the issue again if you re-install the Plesk Firewall and apply the same steps again?
 
I am unable to replicate the issue on a fresh Ubuntu 22.04 server. Are you able to replicate the issue again if you re-install the Plesk Firewall and apply the same steps again?
Will the settings be preserved, or do I need to set them again.
I have hundreds of IP's and CIDRs.
 
I cannot reproduce it either.

When you update a firewall rule and before you finally set the new rule(s), Plesk displays a page where the commands for setting new rules are displayed. There you should see the "ACCEPT" lines with port 22 and your IP address ranges.

If you see ACCEPT lines with port 25: Did you check that you have not also a rule regarding SMTP service?
 
Developers have replied to the case:

Rules with "incorrectly blocked IP":
Code:
# plesk db show module_firewall_rules | grep 95.143.80.0 | less -S
| id  | configuration_id | direction | priority | object
| 750 |                2 |         0 |       12 | a:8:{s:4:"type";s:7:"service";s:5:"class";s:3:"ssh";s:9:"direction";s:5:"input";s:5:"ports";a:1:{i:0;s:6:"25/tcp";}s:6:"action";s:5:"allow";s:10:"originalId";s:3:"722";s:4:"name";s:32:"SSH-Server (Secure-Shell-Server)";...
| 764 |                2 |         0 |       28 | a:7:{s:4:"type";s:6:"custom";s:5:"class";s:6:"custom";s:4:"name";s:25:"My allowed SSH 2023-02-12";s:9:"direction";s:5:"input";s:6:"action";s:5:"allow";s:5:"ports";a:1:{i:0;s:6:"22/tcp";}...
| 809 |                1 |         0 |       12 | a:8:{s:4:"type";s:7:"service";s:5:"class";s:3:"ssh";s:9:"direction";s:5:"input";s:5:"ports";a:1:{i:0;s:6:"25/tcp";}s:6:"action";s:5:"allow";s:10:"originalId";s:3:"750";s:4:"name";s:32:"SSH-Server (Secure-Shell-Server)";...
| 823 |                1 |         0 |       28 | a:8:{s:4:"type";s:6:"custom";s:5:"class";s:6:"custom";s:4:"name";s:25:"My allowed SSH 2023-02-12";s:9:"direction";s:5:"input";s:6:"action";s:5:"allow";s:5:"ports";a:1:{i:0;s:6:"22/tcp";}...
Note that the "SSH-Server (Secure-Shell-Server)" rule actually has port 25/tcp set instead of expected 22/tcp (as with "My allowed SSH 2023-02-12"). Most likely this was incorrectly changed by the customer when manually transferring the rules. Executing
Code:
/usr/local/psa/bin/modules/firewall/settings --set-rule -id 750 -ports 22/tcp
(assuming 2 is still the editable configuration), and applying the firewall rule changes should resolve the issue.
However I would suggest significantly cleaning up firewall rules. There are a lot of duplicates and there's no real need to export fail2ban bans into firewall extension.
 
OK, thanks a lot.
I agree that this might have happend by my transfer activities.

@Kurt Ludikovsky

Please inspect the following file :

/opt/psa/var/modules/firewall/firewall-active.sh

and just do the command : grep -i 22 /opt/psa/var/modules/firewall/firewall-active.sh

If there was an issue with the firewall, then that issue can also (still) be present in that specific script (or even originating from that script).

You should have no differences between the results of the aforementioned command and the input/output from the Plesk Firewall UI.

Kind regards....
 
Back
Top