7.5.x can deny only 1 IP-number instead of a nwblock XXX.XXX.XXX.*

[editor]

Hi,

I have a question. I want to deny some special IP-Numbers,
but Plesk 7.5.x seems to allow me to block only 1 IP-Number
instead of a complete NW-Block.

Example:

https://www.mydomainname.tld:8443/
--->
Modules ---> Firewall

I added there a

"FTP-DenyEditor" with

-----------------
Deny incoming from 80.3.157.84, 80.221.58.99, 151.41.155.25, 193.109.77.48, 195.126.11.140, 217.171.225.72, 217.208.58.144 on port 21/tcp
----------------

In the form, plesk does not allow me to add

195.126.11.*

How can I fix this? If I would add only 1 IP-number, then
the user can logout and relogin and has another IP-Number
from his provider. This is why I want to block a complete
NW-Block.

Just now, Plesk seems to work so, that Plesk wants every
each own IP-Number inputed by myself by hand. This cannot
be, that I must write there 256 IP-numbers instead of deny
a complete nw-block.

Another question. How can I deny only a special

195.126.11.128 - 195.126.11.191

instead of the complete

195.126.11.*

?

Thank you very much.

 

[jamesyeeoc]

Hi editor,

Unfortunately, if you are using the Plesk Firewall module, there currently is no good news for you.

They currently keep the data you enter in the mySQL database as a 'blob', which is not human readable/editable.

Until they change their interface, (which I believe they are either considering, or working on) and release an update, there is not much you can do.

What I did was to uninstall their Firewall and I maintain my own IPTABLES file, which for me is easier than entering IP/nets/cidr's into a pretty form, I'd rather use a regular text editor for that type of data entry...

Actually, to answer someone else's question about this, I had to install their firewall and dig around, then just went back to doing it my way..

All they do is custom inject iptables rules, instead of having them written to the normal /etc/sysconfig/iptables file. But with all of their software, they keep things in their own way.

Bottom line: either wait to see if they release an update with more flexible interface, or uninstall it and do your own iptables (or other firewall).

 

[alex042]

This is one of the reasons we use an external firewall also. We've been using APF for a while which seems to work pretty well.

 

[editor]

there is another one.... man, this **** spamers. This one
guy was so stupid to let rush through a mass-downloader.

And I am not able to deny the complete C-Class with Plesk.

netnum: 213.195.198.0 - 213.195.198.255
netname: CZ-HA-VEL-NOVAK-1
descr: Pavel Novak

It started with 213.195.198.2.

just now, it seems so, that I must input 255 times each on
IP-number extra.

it would be so easy just to write into there a

213.195.198.*

I also tested it with

213.195.198.

but this does also not work. Plesk says then to me, that the
IP-number is not complete. So, Plesk wants the complete
IP-numbers.

Is there really no other chance? How about the .conf?

 

[jamesyeeoc]

You would not use .*, it would be more like 213.195.198.0/24

Currently there is no way to do this until Plesk changes their interface.

You would be better to uninstall their firewall module and either configure iptables yourself, or use some other firewall package such as apf or whatever.

Unless you have lots of time and patience to enter the IPs one at a time....

While the Plesk firewall module is installed, the normal iptables file is ignored and their module gets it's info from the database blob they create.

I am assuming this is related to your other post regarding ftp downloading abuse... please see my reply to that thread for further info.

 

[editor]

Originally posted by jamesyeeoc
Unfortunately, if you are using the Plesk Firewall module, there currently is no good news for you.

Well, every news from you are always _good_ news, because
it's very informative. This is why I will pay you the beer.

Originally posted by jamesyeeoc
They currently keep the data you enter in the mySQL database as a 'blob', which is not human readable/editable.

Yes, I saw this. wtf! Sorry. ;(

Originally posted by jamesyeeoc
Until they change their interface, (which I believe they are either considering, or working on) and release an update, there is not much you can do.

Until to this point I have to accept these spamers? I can
remember very well one of our "antispam-thread", when we
began to talk about to deny the complete Korea and China and
their complete NW-Block. I can also remember very well, when
you suggested the firewall-solution of Plesk. And now, I
have to work on this point and suddenly I see it, that I can
enter only one IP-Number.

Originally posted by jamesyeeoc
What I did was to uninstall their Firewall and I maintain my own IPTABLES file, which for me is easier than entering IP/nets/cidr's into a pretty form, I'd rather use a regular text editor for that type of data entry...

Exact this was also my way in all the last 15 years. It has
always been rather easy just to enter the IP-number or a
complete NW-Block (C-Class, B-Class, A-Class). I have always
been used to work with the *-sign. And now I am anyhow in a
strait-jacket.

Originally posted by jamesyeeoc
Actually, to answer someone else's question about this, I had to install their firewall and dig around, then just went back to doing it my way..

interesting.

Originally posted by jamesyeeoc
All they do is custom inject iptables rules, instead of having them written to the normal /etc/sysconfig/iptables file. But with all of their software, they keep things in their own way.

nice idea. I will have a look into this file.

Originally posted by jamesyeeoc
Bottom line: either wait to see if they release an update with more flexible interface, or uninstall it and do your own iptables (or other firewall).

I don't hope, that you will missunderstand me, but I really
have no special interest to become a slaughter onto a fine
running Plesk-System 7.5.2. To uninstall the firewall,
that's a big cut into the plesk-system itself, I think so. I
have no experience with making such big things onto the
Plesk-system.

I thought, there is anywhere a way to write the IP-NW-Blocks
"manually by hand" into any config-file or whereever.

brb, /etc/sysconfig/iptables

 

[editor]

Hi jamesyeeoc,

Originally posted by jamesyeeoc
You would not use .*, it would be more like 213.195.198.0/24

oh, do you think, with this example before with the abuser
and spamers from...

netnum: 213.195.198.0 - 213.195.198.255

..., that I would have to write into Plesk-Firewall

netnum: 213.195.198.0/255

?

Are you sure, that to deny 213.195.198.0/255 does also
automatically mean to deny the complete netnum:
213.195.198.0 - 213.195.198.255?

Originally posted by jamesyeeoc
Currently there is no way to do this until Plesk changes their interface.

It seems so, yes. There is anywhere a script which checks
out, that only _numbers_ are allowed to input. I am
considering about to change this "checker"-script, so I
would then also be able to add the *-sign. Do you already
have experience with such a possible solution?

Originally posted by jamesyeeoc
You would be better to uninstall their firewall module and either configure iptables yourself, or use some other firewall package such as apf or whatever.

;(

Originally posted by jamesyeeoc
Unless you have lots of time and patience to enter the IPs one at a time....

;( ;(

Originally posted by jamesyeeoc
While the Plesk firewall module is installed, the normal iptables file is ignored and their module gets it's info from the database blob they create.

<swimming-in-tears> ;(



Arrgh,...

Originally posted by jamesyeeoc
I am assuming this is related to your other post regarding ftp downloading abuse... please see my reply to that thread for further info.

Well, I made different posts, because there are also
different abuses, which I would like to fix. I thought, this
thread is only because of the theme and problems with the
IP-number and IP-NWBlock itself.

The other one thread, this is about abusing the bandwith,
because Plesk seems to ignore some things...

Thank you very much.

 

[jamesyeeoc]

I can also remember very well, when

I do not remember *ever* recommending the Plesk firewall, unless the admin was a total noob and did not wish to do anything other than use the control panel.

Uninstalling the Plesk firewall and replacing it with another firewall will not cause any damage to the Plesk system. That is a purely optional module. The control panel will not freak out if it's been uninstalled. It is also not a 'big change' or difficult to uninstall it either.

Their firewall scripts only change the way the existing iptables is configured and run, unfortunately it also makes it more limited in what can be done to block things.

Are you sure, that to deny 213.195.198.0/255 does also

I did not write the /255. To block the range from .0 to .255, you would write the net block as 213.195.198.0/24

Plesk scripts (in general) are encrypted, it is a closed source software. I did not take a close look at any of their firewall scripts and don't have any pressing need to set it up again on a test server at this time. I may do so when they release an update for it.

If you are not willing to dump their limited firewall for a better solution, then there is not much else you can do at this point.

I believe it has been pretty clear through these posts that if you want more flexibility in dealing with the abuses, you are going to have to decide to change your firewall.

 

[alex042]

While the Plesk firewall module is installed, the normal iptables file is ignored and their module gets it's info from the database blob they create.

We have both installed and get reports everyday about 10,000+ packets dropped by apf. We just haven't activated any custom rules and don't 'use' the Plesk firewall even though it's installed.

Have you tried to use both? Maybe it's possible to use the Plesk firewall for specific ip's and also use another firewall for entire blocks?

 

[sieb@]

What about using the host.deny cfg file? I've only used the PSA Firewall to block single hosts that annoy my server.

 

[editor]

Originally posted by jamesyeeoc
All they do is custom inject iptables rules, instead of having them written to the normal /etc/sysconfig/iptables file.

-rw------- 1 root root 1378 Mar 4 2004 iptables-config

# vi -R /etc/sysconfig/iptables-config

------------cut--------------
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modules.conf.
#IPTABLES_MODULES=""

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
#IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
#IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
#IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
#IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no, default: no
# Print IP addresses and port numbers in numeric format in the status output.
#IPTABLES_STATUS_NUMERIC="no"

----------cut---------------

 

[editor]

I also had a look now in the conf of this proftp.

# vi -R /etc/proftpd.conf

--------------cut------------
#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD"
ServerType inetd
ServerType inetd
DefaultServer on
<Global>
DefaultRoot ~ psacln
AllowOverwrite on
</Global>
DefaultTransferMode binary
UseFtpUsers on

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd/scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /usr/local/psa/var/log/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /home/httpd/vhosts>
GroupOwner psacln
</Directory>

Include /etc/proftpd.include

--------------cut------------

 

[editor]

and because of this here:

Originally posted by editor


------cut---------

Include /etc/proftpd.include

-------cut---------

It was clear ;-) that I will therefore also have a look into this file.

# vi -R /etc/proftpd.include

-----------------cut---------------
#Section for mydomainname.tld

<VirtualHost 111.222.333.444>
ServerName "ftp.mydomainname.tld"
CapabilitiesEngine off
TransferLog /usr/local/psa/var/log/xferlog
AllowOverwrite on
Quotas on
QuotaType hard
QuotaCalc off
<Limit LOGIN>
Order allow, deny
AllowGroup psacln
Deny from all
</Limit>

UserAlias anonymous psaftp
<Anonymous /home/httpd/vhosts/mydomainname.tld/anon_ftp>
TransferLog /home/httpd/vhosts/mydomainname.tld/statistics/logs/xferlog
PathDenyFilter "^\.quota$"
RequireValidShell off
TransferRate RETR 666.000
MaxClients 100
User psaftp
Group psaftp
DisplayLogin /conf/proftp.msg
<Limit LOGIN>
AllowAll
</Limit>
<Limit WRITE>
DenyAll
</Limit>
<Directory incoming>
UserOwner mydomainname
Umask 022 002
<Limit STOR>
AllowAll
</Limit>
<Limit WRITE>
DenyAll
</Limit>
<Limit READ>
AllowAll
</Limit>
<Limit MKD XMKD>
AllowAll
</Limit>
</Directory>
</Anonymous>
<Directory /home/httpd/vhosts/mydomainname.tld/httpdocs>
UserOwner mydomainname
GroupOwner psacln
</Directory>
<Directory /home/httpd/vhosts/mydomainname.tld/httpsdocs>
UserOwner mydomainname
GroupOwner psacln
</Directory>
</VirtualHost>
-----------------cut---------------

 

[editor]

There is something wrong or just now not so very clear.
There seems to be 2 big differences.

(1) # vi -R /etc/proftpd.conf
====================

Originally posted by editor
# vi -R /etc/proftpd.conf

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd/scoreboard

and in the other side onto the same one Plesk-servers, it says here:


(2) # vi -R /etc/proftpd.include
=======================

Originally posted by editor
UserAlias anonymous psaftp
<Anonymous /home/httpd/vhosts/mydomainname.tld/anon_ftp>

PathDenyFilter "^\.quota$"
RequireValidShell off
TransferRate RETR 666.000
MaxClients 100


DisplayLogin /conf/proftp.msg

shorter:

(1) # vi -R /etc/proftpd.conf
MaxInstances 30

(2) # vi -R /etc/proftpd.include
MaxClients 100




At the same time, plesk thinks:

# (such as xinetd)
MaxInstances 30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation.......

So, I am not able to change the lines AFTER this notice, of course.
But I am able to change the lines BEFORE this notice. For
example:

MaxInstances 30
-->
MaxInstances 2

Does this then mean, that there will be only 2 connections for
ONE user with his ONE ip-number?

hmm..... how do you think about this?

 

[editor]

BTW, just an idea by me:

Originally posted by editor
# vi -R /etc/proftpd.conf

..
..

Include /etc/proftpd.include
..
.

I would like to add one line BEFORE this

Include /etc/proftpd.include

For example:

Include /etc/angryeditor.include
Include /etc/proftpd.include

and then I will create a new file

-------------------cut-----angryeditor.include---------

# I write here my little comment
deny 111.222.333.*

# I dont have alzheimer, but nobody knows
deny 66.218.71.124-198

#spam from Korea
deny

# mass-faking from France
deny 65.245.103.*

-------------------cut-----angryeditor.include---------

hmm?

Plesk could then think what it wants. Plesk is not busy with
my file "angryeditor.include" (and in this file, there I input
all the ip-numbers or the ip-NW-blocks which I want to deny.

Yes, I am angry because of this abuse. From yesterday to
today, another 124 GB wasted.

 

[editor]

hi jamesyeeoc

Originally posted by jamesyeeoc


To block the range from .0 to .255, you would write the net block as 213.195.198.0/24

This solution seems to work very fine.

213.195.198.0/24 into the Plesk, means to deny
213.195.198.0 - 213.195.198.255



Can you please give me a hint or a tip, how I do this with these
mass-traffic-producer and DDos-Attacker from:

--------------------
inetnum: 83.100.0.0 - 83.100.31.255
netname: SONGNETWORKS-SONETTI
descr: Song networks Oy
descr: 00094, Song
country: FI

route: 83.100.0.0/17
descr: Song Networks Oy
origin: AS3246
mnt-by: AS3246-MNT
source: RIPE # Filtered
---------------------

I would like to deny their complete IPs.

83.100.0.0 - 83.100.31.255

Please, don''t missunderstand me, but I don't want to input:

83.100.1.0/24
83.100.2.0/24
83.100.3.0/24
83.100.4.0/24
83.100.5.0/24
83.100.6.0/24
83.100.7.0/24
83.100.8.0/24
83.100.9.0/24
83.100.10.0/24
83.100.11.0/24
83.100.12.0/24
83.100.13.0/24
83.100.14.0/24
83.100.15.0/24
..
..
.
83.100.31.0/24

to deny

83.100.1.0 - 83.100.31.255

Must I input into Plesk:

83.100.0.0/17

or

83.100.0.0/24

or

83.100.0.0/4

hmmmmmm? But in such a extreme case with 83.100.0.0/24
(if this is correct to deny 83.100.*.*), this would also mean to
deny other NW-Blocks which are unguilty:

inetnum: 83.100.32.0 - 83.100.35.255
netname: LWF-XDSL
descr: Lan World Finland Oy
descr: 33200, Tampere
country: FI

Thank you very much.

 

[jamesyeeoc]

hmmmmmm? But in such a extreme case with 83.100.0.0/24

This would only block from 83.100.0.0 - 83.100.0.255

I would like to deny their complete IPs.

83.100.0.0 - 83.100.31.255

Subnet Mask Subnet Size Host Range Broadcast
83.100.0.0 255.255.224.0 8190 83.100.0.1 to 83.100.31.254 83.100.31.255
IP Address : 83.100.0.0
Address Class : Classless /19
Network Address : 83.100.0.0

Subnet Address : 83.100.0.0
Subnet Mask : 255.255.224.0
Subnet bit mask : nnnnnnnn.nnnnnnnn.nnnhhhhh.hhhhhhhh
Subnet Bits : 19
Host Bits : 13
Possible Number of Subnets : 1
Hosts per Subnet : 8190

According to my subnet calculator, to block just the range:
83.100.0.0 - 83.100.31.255

you would want to use:

83.100.0.0/19

Songnet owns a much larger range, are you sure the range you want to block is 83.100.0.0 - 83.100.31.255 ? As you pointed out, other sub-ranges such as 83.100.32.xx are sub-allocated to other companies by Songnet, so are you sure that there are not other sub-allocations within the range you specified which would also affect 'innocent bystanders'??