Facebook
Twitter
Thomas Wilhelmi
Regular Pleskian
Hi,
again I have a question about the Firewall-module. How can I enable logging for some rules?
again I have a question about the Firewall-module. How can I enable logging for some rules?
-
We value your experience with Plesk during 2024
Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
Please take this short survey:
https://pt-research.typeform.com/to/AmZvSXkx -
The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
-
We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.
Again firewall question
- Thread starter Thomas Wilhelmi
- Start date
Thomas Wilhelmi
Regular Pleskian
Hm, that means I have to create the entries for logging myself and add it in the created script myself after activating it and execute it again?
Thomas Wilhelmi
Regular Pleskian
Thx. Of course I would backup my changes 
And of yourse you may ask. That's the meaning of a Forum. I have 2 main ideas here. First of all you're right I would like to see if a (new) rule is being hit and the second is to probably analyse attack-patterns.
And of yourse you may ask. That's the meaning of a Forum. I have 2 main ideas here. First of all you're right I would like to see if a (new) rule is being hit and the second is to probably analyse attack-patterns.
That thought also crossed my mind. You mean detecting stuff like port probing? Because in case of various types of DoS relying on heavy traffic having tons of log records to write may be quite harmful.
Thomas Wilhelmi
Regular Pleskian
That's definitely a good Point. I think I have to make some experience to get a feeling what is a good compromise.
atomicturtle
Golden Pleskian
There are certainly options that would let you limit the rate of logging in a LOG rule. For example in ASL we have blacklist rulesets with LOG rules at the bottom that fire at 10 in 1 minute, and a limit burst of 2. A limit for a TOR blacklist looks like this:
-A ASL-TOR-DROP-LOG -m limit --limit 10/minute --limit-burst 2 -j LOG --log-level info --log-prefix "ASL_TOR_BLOCK " --log-tcp-sequence --log-tcp-options --log-ip-options
This way you will log the event with its own syslog prefix, and limit the total number of log messages to no more than 2 events in 1 minute.
-A ASL-TOR-DROP-LOG -m limit --limit 10/minute --limit-burst 2 -j LOG --log-level info --log-prefix "ASL_TOR_BLOCK " --log-tcp-sequence --log-tcp-options --log-ip-options
This way you will log the event with its own syslog prefix, and limit the total number of log messages to no more than 2 events in 1 minute.
Thomas Wilhelmi
Regular Pleskian
Thanks for this hint
Similar threads
