1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

7.5.x can deny only 1 IP-number instead of a nwblock XXX.XXX.XXX.*

Discussion in 'Plesk for Linux - 8.x and Older' started by editor, Jun 15, 2005.

  1. editor

    editor Guest

    0
     
    Hi,

    I have a question. I want to deny some special IP-Numbers,
    but Plesk 7.5.x seems to allow me to block only 1 IP-Number
    instead of a complete NW-Block.

    Example:

    https://www.mydomainname.tld:8443/
    --->
    Modules ---> Firewall

    I added there a

    "FTP-DenyEditor" with

    -----------------
    Deny incoming from 80.3.157.84, 80.221.58.99, 151.41.155.25, 193.109.77.48, 195.126.11.140, 217.171.225.72, 217.208.58.144 on port 21/tcp
    ----------------

    In the form, plesk does not allow me to add

    195.126.11.*

    How can I fix this? If I would add only 1 IP-number, then
    the user can logout and relogin and has another IP-Number
    from his provider. This is why I want to block a complete
    NW-Block.

    Just now, Plesk seems to work so, that Plesk wants every
    each own IP-Number inputed by myself by hand. This cannot
    be, that I must write there 256 IP-numbers instead of deny
    a complete nw-block.

    Another question. How can I deny only a special

    195.126.11.128 - 195.126.11.191

    instead of the complete

    195.126.11.*

    ?

    Thank you very much.
     
  2. jamesyeeoc

    jamesyeeoc Guest

    0
     
    Hi editor,

    Unfortunately, if you are using the Plesk Firewall module, there currently is no good news for you.

    They currently keep the data you enter in the mySQL database as a 'blob', which is not human readable/editable.

    Until they change their interface, (which I believe they are either considering, or working on) and release an update, there is not much you can do.

    What I did was to uninstall their Firewall and I maintain my own IPTABLES file, which for me is easier than entering IP/nets/cidr's into a pretty form, I'd rather use a regular text editor for that type of data entry...

    Actually, to answer someone else's question about this, I had to install their firewall and dig around, then just went back to doing it my way..

    All they do is custom inject iptables rules, instead of having them written to the normal /etc/sysconfig/iptables file. But with all of their software, they keep things in their own way.

    Bottom line: either wait to see if they release an update with more flexible interface, or uninstall it and do your own iptables (or other firewall).
     
  3. alex042

    alex042 Guest

    0
     
    This is one of the reasons we use an external firewall also. We've been using APF for a while which seems to work pretty well.
     
  4. editor

    editor Guest

    0
     
    there is another one.... man, this **** spamers. This one
    guy was so stupid to let rush through a mass-downloader.

    And I am not able to deny the complete C-Class with Plesk.

    netnum: 213.195.198.0 - 213.195.198.255
    netname: CZ-HA-VEL-NOVAK-1
    descr: Pavel Novak

    It started with 213.195.198.2.

    just now, it seems so, that I must input 255 times each on
    IP-number extra.

    it would be so easy just to write into there a

    213.195.198.*

    I also tested it with

    213.195.198.

    but this does also not work. Plesk says then to me, that the
    IP-number is not complete. So, Plesk wants the complete
    IP-numbers.

    Is there really no other chance? How about the .conf?

    :confused:
     
  5. jamesyeeoc

    jamesyeeoc Guest

    0
     
    You would not use .*, it would be more like 213.195.198.0/24

    Currently there is no way to do this until Plesk changes their interface.

    You would be better to uninstall their firewall module and either configure iptables yourself, or use some other firewall package such as apf or whatever.

    Unless you have lots of time and patience to enter the IPs one at a time....

    While the Plesk firewall module is installed, the normal iptables file is ignored and their module gets it's info from the database blob they create.

    I am assuming this is related to your other post regarding ftp downloading abuse... please see my reply to that thread for further info.
     
  6. editor

    editor Guest

    0
     
    Well, every news from you are always _good_ news, because
    it's very informative. This is why I will pay you the beer. ;)


    Yes, I saw this. :( wtf! Sorry. ;(


    Until to this point I have to accept these spamers? I can
    remember very well one of our "antispam-thread", when we
    began to talk about to deny the complete Korea and China and
    their complete NW-Block. I can also remember very well, when
    you suggested the firewall-solution of Plesk. And now, I
    have to work on this point and suddenly I see it, that I can
    enter only one IP-Number.


    Exact this was also my way in all the last 15 years. It has
    always been rather easy just to enter the IP-number or a
    complete NW-Block (C-Class, B-Class, A-Class). I have always
    been used to work with the *-sign. And now I am anyhow in a
    strait-jacket.


    interesting.

    nice idea. I will have a look into this file.


    I don't hope, that you will missunderstand me, but I really
    have no special interest to become a slaughter onto a fine
    running Plesk-System 7.5.2. To uninstall the firewall,
    that's a big cut into the plesk-system itself, I think so. I
    have no experience with making such big things onto the
    Plesk-system.

    I thought, there is anywhere a way to write the IP-NW-Blocks
    "manually by hand" into any config-file or whereever.

    brb, /etc/sysconfig/iptables :)
     
  7. editor

    editor Guest

    0
     
    Hi jamesyeeoc,

    oh, do you think, with this example before with the abuser
    and spamers from...

    netnum: 213.195.198.0 - 213.195.198.255

    ..., that I would have to write into Plesk-Firewall

    netnum: 213.195.198.0/255

    ?

    Are you sure, that to deny 213.195.198.0/255 does also
    automatically mean to deny the complete netnum:
    213.195.198.0 - 213.195.198.255?


    It seems so, yes. There is anywhere a script which checks
    out, that only _numbers_ are allowed to input. I am
    considering about to change this "checker"-script, so I
    would then also be able to add the *-sign. Do you already
    have experience with such a possible solution?

    ;(


    ;( ;(


    <swimming-in-tears> ;(

    ;)

    Arrgh,... :(


    Well, I made different posts, because there are also
    different abuses, which I would like to fix. I thought, this
    thread is only because of the theme and problems with the
    IP-number and IP-NWBlock itself.

    The other one thread, this is about abusing the bandwith,
    because Plesk seems to ignore some things...

    Thank you very much.
     
  8. jamesyeeoc

    jamesyeeoc Guest

    0
     
    I do not remember *ever* recommending the Plesk firewall, unless the admin was a total noob and did not wish to do anything other than use the control panel.

    Uninstalling the Plesk firewall and replacing it with another firewall will not cause any damage to the Plesk system. That is a purely optional module. The control panel will not freak out if it's been uninstalled. It is also not a 'big change' or difficult to uninstall it either.

    Their firewall scripts only change the way the existing iptables is configured and run, unfortunately it also makes it more limited in what can be done to block things.
    I did not write the /255. To block the range from .0 to .255, you would write the net block as 213.195.198.0/24

    Plesk scripts (in general) are encrypted, it is a closed source software. I did not take a close look at any of their firewall scripts and don't have any pressing need to set it up again on a test server at this time. I may do so when they release an update for it.

    If you are not willing to dump their limited firewall for a better solution, then there is not much else you can do at this point.

    I believe it has been pretty clear through these posts that if you want more flexibility in dealing with the abuses, you are going to have to decide to change your firewall.
     
  9. alex042

    alex042 Guest

    0
     
    We have both installed and get reports everyday about 10,000+ packets dropped by apf. We just haven't activated any custom rules and don't 'use' the Plesk firewall even though it's installed.

    Have you tried to use both? Maybe it's possible to use the Plesk firewall for specific ip's and also use another firewall for entire blocks?
     
  10. sieb@

    sieb@ Guest

    0
     
    What about using the host.deny cfg file? I've only used the PSA Firewall to block single hosts that annoy my server.
     
  11. editor

    editor Guest

    0
     
    -rw------- 1 root root 1378 Mar 4 2004 iptables-config

    # vi -R /etc/sysconfig/iptables-config

    ------------cut--------------
    # Load additional iptables modules (nat helpers)
    # Default: -none-
    # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
    # are loaded after the firewall rules are applied. Options for the helpers are
    # stored in /etc/modules.conf.
    #IPTABLES_MODULES=""

    # Unload modules on restart and stop
    # Value: yes|no, default: yes
    # This option has to be 'yes' to get to a sane state for a firewall
    # restart or stop. Only set to 'no' if there are problems unloading netfilter
    # modules.
    #IPTABLES_MODULES_UNLOAD="yes"

    # Save current firewall rules on stop.
    # Value: yes|no, default: no
    # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
    # (e.g. on system shutdown).
    #IPTABLES_SAVE_ON_STOP="no"

    # Save current firewall rules on restart.
    # Value: yes|no, default: no
    # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
    # restarted.
    #IPTABLES_SAVE_ON_RESTART="no"

    # Save (and restore) rule and chain counter.
    # Value: yes|no, default: no
    # Save counters for rules and chains to /etc/sysconfig/iptables if
    # 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
    # SAVE_ON_RESTART is enabled.
    #IPTABLES_SAVE_COUNTER="no"

    # Numeric status output
    # Value: yes|no, default: no
    # Print IP addresses and port numbers in numeric format in the status output.
    #IPTABLES_STATUS_NUMERIC="no"

    ----------cut---------------
     
  12. editor

    editor Guest

    0
     
    I also had a look now in the conf of this proftp.

    # vi -R /etc/proftpd.conf

    --------------cut------------
    #
    # To have more informations about Proftpd configuration
    # look at : http://www.proftpd.org/
    #

    # This is a basic ProFTPD configuration file (rename it to
    # 'proftpd.conf' for actual use. It establishes a single server
    # and a single anonymous login. It assumes that you have a user/group
    # "nobody" and "ftp" for normal operation and anon.

    ServerName "ProFTPD"
    ServerType inetd
    ServerType inetd
    DefaultServer on
    <Global>
    DefaultRoot ~ psacln
    AllowOverwrite on
    </Global>
    DefaultTransferMode binary
    UseFtpUsers on

    # Port 21 is the standard FTP port.
    Port 21
    # Umask 022 is a good standard umask to prevent new dirs and files
    # from being group and world writable.
    Umask 022

    # To prevent DoS attacks, set the maximum number of child processes
    # to 30. If you need to allow more than 30 concurrent connections
    # at once, simply increase this value. Note that this ONLY works
    # in standalone mode, in inetd mode you should use an inetd server
    # that allows you to limit maximum number of processes per service
    # (such as xinetd)
    MaxInstances 30

    #Following part of this config file were generate by PSA automatically
    #Any changes in this part will be overwritten by next manipulation
    #with Anonymous FTP feature in PSA control panel.

    #Include directive should point to place where FTP Virtual Hosts configurations
    #preserved

    ScoreboardFile /var/run/proftpd/scoreboard

    # Primary log file mest be outside of system logrotate province

    TransferLog /usr/local/psa/var/log/xferlog

    #Change default group for new files and directories in vhosts dir to psacln

    <Directory /home/httpd/vhosts>
    GroupOwner psacln
    </Directory>

    Include /etc/proftpd.include

    --------------cut------------
     
  13. editor

    editor Guest

    0
     
    and because of this here:

    It was clear ;-) that I will therefore also have a look into this file.

    # vi -R /etc/proftpd.include

    -----------------cut---------------
    #Section for mydomainname.tld

    <VirtualHost 111.222.333.444>
    ServerName "ftp.mydomainname.tld"
    CapabilitiesEngine off
    TransferLog /usr/local/psa/var/log/xferlog
    AllowOverwrite on
    Quotas on
    QuotaType hard
    QuotaCalc off
    <Limit LOGIN>
    Order allow, deny
    AllowGroup psacln
    Deny from all
    </Limit>

    UserAlias anonymous psaftp
    <Anonymous /home/httpd/vhosts/mydomainname.tld/anon_ftp>
    TransferLog /home/httpd/vhosts/mydomainname.tld/statistics/logs/xferlog
    PathDenyFilter "^\.quota$"
    RequireValidShell off
    TransferRate RETR 666.000
    MaxClients 100
    User psaftp
    Group psaftp
    DisplayLogin /conf/proftp.msg
    <Limit LOGIN>
    AllowAll
    </Limit>
    <Limit WRITE>
    DenyAll
    </Limit>
    <Directory incoming>
    UserOwner mydomainname
    Umask 022 002
    <Limit STOR>
    AllowAll
    </Limit>
    <Limit WRITE>
    DenyAll
    </Limit>
    <Limit READ>
    AllowAll
    </Limit>
    <Limit MKD XMKD>
    AllowAll
    </Limit>
    </Directory>
    </Anonymous>
    <Directory /home/httpd/vhosts/mydomainname.tld/httpdocs>
    UserOwner mydomainname
    GroupOwner psacln
    </Directory>
    <Directory /home/httpd/vhosts/mydomainname.tld/httpsdocs>
    UserOwner mydomainname
    GroupOwner psacln
    </Directory>
    </VirtualHost>
    -----------------cut---------------
     
  14. editor

    editor Guest

    0
     
    There is something wrong or just now not so very clear.
    There seems to be 2 big differences.

    (1) # vi -R /etc/proftpd.conf
    ====================

    and in the other side onto the same one Plesk-servers, it says here:


    (2) # vi -R /etc/proftpd.include
    =======================

    shorter:

    (1) # vi -R /etc/proftpd.conf
    MaxInstances 30

    (2) # vi -R /etc/proftpd.include
    MaxClients 100

    :confused:


    At the same time, plesk thinks:

    # (such as xinetd)
    MaxInstances 30

    #Following part of this config file were generate by PSA automatically
    #Any changes in this part will be overwritten by next manipulation.......

    So, I am not able to change the lines AFTER this notice, of course.
    But I am able to change the lines BEFORE this notice. For
    example:

    MaxInstances 30
    -->
    MaxInstances 2

    Does this then mean, that there will be only 2 connections for
    ONE user with his ONE ip-number?

    hmm..... how do you think about this? :)
     
  15. editor

    editor Guest

    0
     
    BTW, just an idea by me:

    I would like to add one line BEFORE this

    Include /etc/proftpd.include

    For example:

    Include /etc/angryeditor.include
    Include /etc/proftpd.include

    and then I will create a new file

    -------------------cut-----angryeditor.include---------

    # I write here my little comment
    deny 111.222.333.*

    # I dont have alzheimer, but nobody knows
    deny 66.218.71.124-198

    #spam from Korea
    deny

    # mass-faking from France
    deny 65.245.103.*

    -------------------cut-----angryeditor.include---------

    hmm?

    Plesk could then think what it wants. Plesk is not busy with
    my file "angryeditor.include" (and in this file, there I input
    all the ip-numbers or the ip-NW-blocks which I want to deny.

    Yes, I am angry because of this abuse. From yesterday to
    today, another 124 GB wasted.
     
  16. editor

    editor Guest

    0
     
    hi jamesyeeoc

    This solution seems to work very fine.

    213.195.198.0/24 into the Plesk, means to deny
    213.195.198.0 - 213.195.198.255

    :)

    Can you please give me a hint or a tip, how I do this with these
    mass-traffic-producer and DDos-Attacker from:

    --------------------
    inetnum: 83.100.0.0 - 83.100.31.255
    netname: SONGNETWORKS-SONETTI
    descr: Song networks Oy
    descr: 00094, Song
    country: FI

    route: 83.100.0.0/17
    descr: Song Networks Oy
    origin: AS3246
    mnt-by: AS3246-MNT
    source: RIPE # Filtered
    ---------------------

    I would like to deny their complete IPs.

    83.100.0.0 - 83.100.31.255

    Please, don''t missunderstand me, but I don't want to input:

    83.100.1.0/24
    83.100.2.0/24
    83.100.3.0/24
    83.100.4.0/24
    83.100.5.0/24
    83.100.6.0/24
    83.100.7.0/24
    83.100.8.0/24
    83.100.9.0/24
    83.100.10.0/24
    83.100.11.0/24
    83.100.12.0/24
    83.100.13.0/24
    83.100.14.0/24
    83.100.15.0/24
    ..
    ..
    .
    83.100.31.0/24

    to deny

    83.100.1.0 - 83.100.31.255

    Must I input into Plesk:

    83.100.0.0/17

    or

    83.100.0.0/24

    or

    83.100.0.0/4

    hmmmmmm? But in such a extreme case with 83.100.0.0/24
    (if this is correct to deny 83.100.*.*), this would also mean to
    deny other NW-Blocks which are unguilty:

    inetnum: 83.100.32.0 - 83.100.35.255
    netname: LWF-XDSL
    descr: Lan World Finland Oy
    descr: 33200, Tampere
    country: FI

    Thank you very much.
     
  17. jamesyeeoc

    jamesyeeoc Guest

    0
     
    This would only block from 83.100.0.0 - 83.100.0.255

    Subnet Mask Subnet Size Host Range Broadcast
    83.100.0.0 255.255.224.0 8190 83.100.0.1 to 83.100.31.254 83.100.31.255
    IP Address : 83.100.0.0
    Address Class : Classless /19
    Network Address : 83.100.0.0

    Subnet Address : 83.100.0.0
    Subnet Mask : 255.255.224.0
    Subnet bit mask : nnnnnnnn.nnnnnnnn.nnnhhhhh.hhhhhhhh
    Subnet Bits : 19
    Host Bits : 13
    Possible Number of Subnets : 1
    Hosts per Subnet : 8190

    According to my subnet calculator, to block just the range:
    83.100.0.0 - 83.100.31.255

    you would want to use:

    83.100.0.0/19

    Songnet owns a much larger range, are you sure the range you want to block is 83.100.0.0 - 83.100.31.255 ? As you pointed out, other sub-ranges such as 83.100.32.xx are sub-allocated to other companies by Songnet, so are you sure that there are not other sub-allocations within the range you specified which would also affect 'innocent bystanders'??
     
Loading...