• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question ModSecurity - How to build a IP block list?

A

alvesjc

Basic Pleskian
Hello all,

Since I've moved to cloudflare, I've lost the ability to block malicious IP sources from known lists with ubuntu iptables.

I've found this info about adding IP's to block.

https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity

Is this possible to integrate with WAF provided in plesk?

For now I've it running with comodo account, but would be great to restore the ability to block bad IP sources from my site again.

Help apreciated.

my system info:

  • OS: ‪Ubuntu 16.04.3 LTS‬
  • Product: Plesk Onyx 17.5.3 Update #39 , last updated at Feb 4, 2018 11:23 PM
  • Checked at Feb 4, 2018 07:29 AM.
 
alvesjc said:
Hello all,

Since I've moved to cloudflare, I've lost the ability to block malicious IP sources from known lists with ubuntu iptables.

I've found this info about adding IP's to block.

https://www.codeproject.com/Articles/574935/BlockplusIPplususingplusModSecurity

Is this possible to integrate with WAF provided in plesk?

For now I've it running with comodo account, but would be great to restore the ability to block bad IP sources from my site again.

Help apreciated.

my system info:

  • OS: ‪Ubuntu 16.04.3 LTS‬
  • Product: Plesk Onyx 17.5.3 Update #39 , last updated at Feb 4, 2018 11:23 PM
  • Checked at Feb 4, 2018 07:29 AM.
Click to expand...

Hello, you can still block malicious IPs with fail2ban and Cloudflare : Can I still use fail2ban while using Cloudflare?
You just have to create a file /etc/nginx/conf.d/cloudflare.conf with the following content to restore visitors real IP :

Code: 
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;

Additionally there is an fail2ban action available to automatically block an IP with iptables and Cloudflare at the same time : Adding Cloudflare support to fail2ban | Le Blog
 
Hi Virtubox.

Thank you for your inputs.

That is very nice, I'll setup the API also.

But cloudflare limits the CIDR to /16 or /24 subnets.
In my list I have a lot /11 subnets to block and many others diferent subnets.

Is it possible to block this address list with 66k entries in nginx reliable and without much impact in performance?
 
alvesjc said:
Hi Virtubox.

Thank you for your inputs.

That is very nice, I'll setup the API also.

But cloudflare limits the CIDR to /16 or /24 subnets.
In my list I have a lot /11 subnets to block and many others diferent subnets.

Is it possible to block this address list with 66k entries in nginx reliable and without much impact in performance?
Click to expand...

Block those IPs directly with fail2ban on your server, it will set all iptables properly. But even if you block them only with Nginx, it should not impact your server performance because nginx will directly display a 403 forbidden for blocked IP.

You can also add some jails to ban IPs by checking nginx access logs (for example, too much 404 error mean directory bruteforce). There is a nice tutorial available here : How to Secure an nginx Server with Fail2Ban
 
You must log in or register to reply here.
Back
Top