Question Logging in to Plesk with static IP V4, using a static IP v6.

[CobraArbok]

Server operating system version

Ubuntu 22.04.1 LTS

Plesk version and microupdate number

18.0.49 Update #2

Plesk is on a VPS with static V4 public IP.
The office has an Internet line with dynamic IP V4 and static IP v6.

I would like to block access to Plesk using a static IP; can I use the IP V6 one?

If for some reason I can't access from that address, can I change it via SSH or from the VPS console?
Where is it?

 

[scsa20]

There's 2 ways of doing this.

First way is to use the IP Access Restriction Management located under Tools & Settings. You just add in networks that you want to use (rather that's IPv4 or IPv6) or updating the firewall rules to restrict access to just your IP address.

 

[Peter Debik]

@CobraArbok Here is what to do if you locked yourself out using IP access restriction:

https://support.plesk.com/hc/en-us/articles/213906225-Unable-to-log-into-Plesk-Access-for-administrator-from-address-203-0-113-2-is-restricted-in-accordance-with-IP-Access-restriction-policy-currently-applied

 

[CobraArbok]

@CobraArbok Here is what to do if you locked yourself out using IP access restriction:

https://support.plesk.com/hc/en-us/articles/213906225-Unable-to-log-into-Plesk-Access-for-administrator-from-address-203-0-113-2-is-restricted-in-accordance-with-IP-Access-restriction-policy-currently-applied

Even if I had read into the future, Plesk blocked me both from the PC and from the smartphone.
I solved by typing the two commands in the console, but now I would like to understand why it blocks me every day from the dynamic IP.
The Internet line at home is always the same and it's normal for the provider to change my IP address, but it's the first time I've ever blocked it in Fail2Ban.

 

[Peter Debik]

Fail2Ban is a different issue. When you are blocked by Fail2Ban, very likely something from your local network is trying to login with wrong credentials (wrong username or wrong password). Most often that will be an email application. Please check /var/log/fail2ban.log which jail is blocking your ip. From there you can easily find out more using the log files of that corresponding service.

 

[mow]

Plesk is on a VPS with static V4 public IP.
The office has an Internet line with dynamic IP V4 and static IP v6.

I would like to block access to Plesk using a static IP; can I use the IP V6 one?

If your VPS has no IP v6 that's just asking for trouble.

If for some reason I can't access from that address, can I change it via SSH or from the VPS console?

You could tunnel to port 8443 via ssh and access Plesk that way.

 

[CobraArbok]

Fail2Ban is a different issue. When you are blocked by Fail2Ban, very likely something from your local network is trying to login with wrong credentials (wrong username or wrong password). Most often that will be an email application. Please check /var/log/fail2ban.log which jail is blocking your ip. From there you can easily find out more using the log files of that corresponding service.

In fact it's so.
I was blocked again and from the logs I see that the access from the IP address is by Dovecot and Postfix.
But I don't understand why; it is my home IP and accesses are continuous, even at night when the PC is off; furthermore I don't have smartphone applications that access these mailboxes.

 

[Peter Debik]

Most often it is indeed a smartphone. I once know someone how swore that he is not connecting. After three months he found out that he gave his old smartphone to his son and forgot to remove his email app from it. Problem solved.

If you see access through the night and if these occur every five to 15 seconds, it is most likely a phone. Another option could be a pad or an NAS or the router itself that is trying to send notifications on some service by email. Or maybe it's your wife's phone? Your friend's? Your neighborÄs who you share the router with? If the logins are coming from your IP, there sure exists a device that is trying to login.

 

[CobraArbok]

Most often it is indeed a smartphone. I once know someone how swore that he is not connecting. After three months he found out that he gave his old smartphone to his son and forgot to remove his email app from it. Problem solved.

If you see access through the night and if these occur every five to 15 seconds, it is most likely a phone. Another option could be a pad or an NAS or the router itself that is trying to send notifications on some service by email. Or maybe it's your wife's phone? Your friend's? Your neighborÄs who you share the router with? If the logins are coming from your IP, there sure exists a device that is trying to login.

Damn!
It's not the wife, but an old tablet of mine that still had roundcube installed.
Thank you very much.

But in the log I see that there are still dozens of login attempts via ssh and postfix.
I have my ISP's firewall already disallowing SSH access; so how do they try to log in?

And how can I in fail2ban block all but some ports?
Or enable only the ones I need?
The user guide isn't very clear on this and opening existing jails doesn't help me.

 

[Peter Debik]

Postfix brute-force attempts: Very common. Nothing to worry about as long as you have the fail2ban postfix jail on.
SSH brute-force attempts: Also common. However, if SSH port is really blocked, how do you maintain your server yourself? With the fail2ban ssh jail in place it should not worry much anyway. Of course as you are a responsible user you have PermitRootLogin set to "no" in the sshd configuration, right?
Fail2ban block all ports: Fail2ban cannot do that. It does not block ports, it blocks IP addresses of attackers.
In the Plesk firewall disable/block all services that you are not using. For example if you are not using single-sign-on, block it. If you are not using PostgreSQL block it, etc. Else if you go with the default setting, you'll still be fine. Nothing to worry about.

 

[CobraArbok]

... However, if SSH port is really blocked, how do you maintain your server yourself? With the fail2ban ssh jail in place it should not worry much anyway. Of course as you are a responsible user you have PermitRootLogin set to "no" in the sshd configuration, right?
Fail2ban block all ports: Fail2ban cannot do that. It does not block ports, it blocks IP addresses of attackers.
In the Plesk firewall disable/block all services that you are not using. For example if you are not using single-sign-on, block it. If you are not using PostgreSQL block it, etc. Else if you go with the default setting, you'll still be fine. Nothing to worry about.

On my ISP's firewall I closed port 22 and opened another port.
I know they could still scan all open ports, but at least I'm making it a little harder for the lazy and the automatic.
It is for this reason that I want to jail this port on Fail2Ban.

Yes, PermitRootLogin = no.
Then you still need an SSH key and I also activated TFA.

 

[mow]

Of course as you are a responsible user you have PermitRootLogin set to "no" in the sshd configuration, right?

That does not provide significant additional security. "PasswordAuthentication no" is far more important, and together with a non-standard port helps to reduce the noise in the logs.

 

[CobraArbok]

That does not provide significant additional security. "PasswordAuthentication no" is far more important, and together with a non-standard port helps to reduce the noise in the logs.

Yes, I've PasswordAuthentication no